Odoo list all databases over JSON-RPC API even when dbfilter is active, this is a security problem.

Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:

CRM
e-Commerce
Accounting
Inventory
PoS
Project management
MRP

Take the tour

Posts People Badges

Tags View all

odoo accounting v7 pos invoice

About this forum

Help

Odoo list all databases over JSON-RPC API even when dbfilter is active, this is a security problem.

5473 Views

security api jsonrpc

Peter Baumann

Hi all,

I have a odoo instance running on the internet with dbfilter active to hostname (^%h$). This works when I check the url https://www.domain.com/web/database/selector or manager.

What I have seen now is that still it is possible to list all the odoo databases when you do the following POST request to https://www.domain.com/jsonrpc?session_id

POST /jsonrpc?session_id HTTP/1.1
Content-Type: application/json
Host: www.domain.com
Connection: close
User-Agent: a/3.0.14
{"jsonrpc":"2.0","method":"call","id":921359310,"params":{"method":"list","service":"db","args":{}}}

Then I get back all the databases which is a security problem of odoo.

Anyone who knows how to prevent that?

Thanks,

Peter

This question has been flagged