Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth_brute_force doesn't consider xmlrpc/jsonrpc login attempts #1125

Closed
LeartS opened this issue Jan 10, 2018 · 3 comments
Closed

auth_brute_force doesn't consider xmlrpc/jsonrpc login attempts #1125

LeartS opened this issue Jan 10, 2018 · 3 comments
Labels
bug

Comments

@LeartS
Copy link

LeartS commented Jan 10, 2018

It's possible to circumvent auth_brute_force security by trying logins via xmlrpc/jsonrpc. The login attempts done this way are not checked by the module and do not count towards the failed attempts limit towards the ban.

I would argue that the jsonrpc interface is the preferred one for bruteforcing tools, so IMO this limitation is non-negligible.
@legalsylvain
Copy link
Contributor

👍 When I wrote this module, I just tested with Front UI attempts.
this could be a good addition to log tryes from xmlrpc. Do you think you could make a PR ?

regards.

@legalsylvain
Copy link
Contributor

Hi @lasley. I allowed myself to change the label you set. I think that "bug" is more appropriated because what @LeartS is talking make this module useless.

@yajo yajo mentioned this issue Apr 11, 2018
Closed
yajo added a commit to Tecnativa/server-tools that referenced this issue Apr 12, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints
85f687b 
To fix OCA#1125 I needed to refactor the addon.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied. This PR is implemented assuming odoo/odoo#24187 will be merged and backported.
@yajo yajo mentioned this issue Apr 12, 2018
Merged
@yajo
Copy link
Member

yajo commented Apr 27, 2018

The fix is in #1219, let's continue there.

@yajo yajo closed this as completed Apr 27, 2018
yajo added a commit to Tecnativa/server-tools that referenced this issue Apr 27, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints
d44f0a0 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo added a commit that referenced this issue May 18, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (#1219)
53e61d3 
To fix #1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo added a commit to Tecnativa/server-auth that referenced this issue May 21, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (#1219)
6a02169 
To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

[FIX] auth_brute_force: Small typos

- The `whitelisted` field needs to exist in view to be usable.
- The correct class is `decoration-danger` for tree views.
yajo added a commit to Tecnativa/server-auth that referenced this issue May 21, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (#1219)
3289521 
To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

[FIX] auth_brute_force: Small typos (#1250)

- The `whitelisted` field needs to exist in view to be usable.
- The correct class is `decoration-danger` for tree views.
yajo added a commit to Tecnativa/server-auth that referenced this issue May 21, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
2a5fc48 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

[FIX] auth_brute_force: Small typos (OCA/server-tools#1250)

- The `whitelisted` field needs to exist in view to be usable.
- The correct class is `decoration-danger` for tree views.
yajo added a commit to Tecnativa/server-auth that referenced this issue May 21, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
242eaa7 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.

[FIX] auth_brute_force: Small typos (OCA/server-tools#1250)

- The `whitelisted` field needs to exist in view to be usable.
- The correct class is `decoration-danger` for tree views.

[FIX] auth_brute_force: Fix addon requirement computation (OCA/server-tools#1251)

Include HACK for odoo/odoo#24833, which explains the false positive problem we were having here: an addon being importable doesn't mean it is installed.
yajo added a commit to Tecnativa/server-auth that referenced this issue May 22, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (#1219)
83f4fa2 
To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo added a commit to Tecnativa/server-auth that referenced this issue May 22, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
bdf50e5 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
yajo added a commit to Tecnativa/server-tools that referenced this issue May 24, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA#1219)
95ff8c8 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
daramousk pushed a commit to daramousk/server-tools that referenced this issue Jul 16, 2018
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA#1219)
99e2d6b 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
daramousk pushed a commit to daramousk/server-tools that referenced this issue Oct 2, 2019
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA#1219)
3f5a942 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
kait-avalah pushed a commit to kait-avalah/server-tools that referenced this issue Jul 21, 2020
@yajo @kait-avalah
[REF] auth_brute_force: Cover all auth entrypoints (OCA#1219)
90db795 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
kait-avalah pushed a commit to kait-avalah/server-tools that referenced this issue Jul 21, 2020
@yajo @kait-avalah
[REF] auth_brute_force: Cover all auth entrypoints (OCA#1219)
debc7fb 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
kait-avalah pushed a commit to kait-avalah/server-tools that referenced this issue Aug 25, 2020
@yajo @kait-avalah
[REF] auth_brute_force: Cover all auth entrypoints (OCA#1219)
0c26c97 
To fix OCA#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
nikunjantala pushed a commit to Nitrokey/odoo-server-auth that referenced this issue Sep 5, 2022
@yajo @nileshsheliya
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
d1f7a51 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
nikunjantala pushed a commit to Nitrokey/odoo-server-auth that referenced this issue Sep 28, 2022
@yajo @nileshsheliya
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
5cd4e9b 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
nikunjantala pushed a commit to Nitrokey/odoo-server-auth that referenced this issue Oct 10, 2022
@yajo
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
c03a7bc 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
dsolanki-initos pushed a commit to Nitrokey/odoo-server-auth that referenced this issue Nov 30, 2022
@yajo @dsolanki-initos
[REF] auth_brute_force: Cover all auth entrypoints (OCA/server-tools#…
ee7842e 
…1219)

To fix OCA/server-tools#1125 I needed to refactor the addon. To whitelist IPs now you use a config parameter, which renders res.banned.remote model unneeded.

The fix is affected by odoo/odoo#24183 and will not work until it gets fixed upstream due to the technical limitations implied.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yajo @legalsylvain @LeartS @lasley