|
|
|
|
|
|
by hrbrtglm
4002 days ago
|
|
|
Well, that's really interesting for all of us who work with multi-tenant webapp. Maybe you took some notes. Could you share some more info if you are free to disclose how you poked with the connection pool.
I haven't look at OpenERP sources, but I think the database in use is PostgreSQL. > "for a user of one database to access other database" Were OpenERP using a database for each tenant or 1 database with multiple schemas ?
In case it was the former case, were all databases accessed with the same credentials ?
Which connection pool was it ? Pgpool / Pgbouncer ?
Where was the vulnerability, code, db, pool, config setup ? Sorry for all this questions, I'm indeed very interested and involved in this topic. |
|
|
OpenERP, at least back then, was using a single PostgreSQL cluster for a given OpenERP server. Each tenant has its own PostgreSQL database. In multiple places, OpenERP offers the administrator role of a tenant to customize OpenERP with Python code. Basically you can inject Python code for execution, and it is run in the same processes used for every tenant. OpenERP tries to limit what the Python expressions can do.
The idea of what I did was, starting from the objects I had access to, to find a way to get a database cursor to another database than mine.
The connection pool in OpenERP is custom and part of the Python code base.
To get the cursor, I poked at some object, took its class and reinstanciated (this is all straightforward to do in Python) it with the name of another database (listing other databases was another longstanding issue of OpenERP).