Hi all,
I have a odoo instance running on the internet with dbfilter active to hostname (^%h$). This works when I check the url https://www.domain.com/web/database/selector or manager.
What I have seen now is that still it is possible to list all the odoo databases when you do the following POST request to https://www.domain.com/jsonrpc?session_id
POST /jsonrpc?session_id HTTP/1.1
Content-Type: application/json
Host: www.domain.com
Connection: close
User-Agent: a/3.0.14
{"jsonrpc":"2.0","method":"call","id":921359310,"params":{"method":"list","service":"db","args":{}}}
Then I get back all the databases which is a security problem of odoo.
Anyone who knows how to prevent that?
Thanks,
Peter