Help

3

Odoo list all databases over JSON-RPC API even when dbfilter is active, this is a security problem.

Avatar
Peter Baumann

Hi all,

I have a odoo instance running on the internet with dbfilter active to hostname (^%h$). This works when I check the url https://www.domain.com/web/database/selector or manager.

What I have seen now is that still it is possible to list all the odoo databases when you do the following POST request to https://www.domain.com/jsonrpc?session_id

POST /jsonrpc?session_id HTTP/1.1
Content-Type: application/json
Host: www.domain.com
Connection: close
User-Agent: a/3.0.14
{"jsonrpc":"2.0","method":"call","id":921359310,"params":{"method":"list","service":"db","args":{}}}


Then I get back all the databases which is a security problem of odoo.


Anyone who knows how to prevent that?


Thanks,

Peter

Avatar
Discard