Community mailing list archives
community@mail.odoo.com
Browse archives
null value in column "notify_email" violates not-null constraint
Odoo Security Advisory - 2015-unsafe-eval
Odoo Security Advisory - 2015-account-inject
by
Olivier Dony (odo)
Security Advisory 2015-account-inject Title: SQL injection in Accounting module via RPC Affects: All Odoo (formerly OpenERP) versions Component: Accounting Module Credits: Colin Newell, OpusVL GitHub: https://github.com/odoo/odoo/issues/7240 I. Background Odoo includes an Object-Relational Mapping (ORM) subsystem, which exposes a high-level abstraction of the underlying database backend to the rest of the Odoo components. The database backend is where all the business data and configuration data is stored, and the ORM hides the low-level details for accessing it, such as the crafting of database queries and enforcing of access control to all resources. The ORM also takes care of properly sanitizing user-provided data, in order to prevent data corruption or breach by malicious users. In some cases, for performance reasons or for very specific data access patterns, business logic components must directly use the lower-level database access layer without going through the regular ORM layer. Great care must be exerted in those cases to ensure that user-provided data is sanitized and proper access control enforced. II. Problem Description The Odoo Accounting module includes functions requiring direct use of the low-level database access layer without going through the ORM layer. One of these functions does not properly sanitize user-provided data, possibly leading to data corruption or data breach by malicious users, though the injection of arbitrary SQL commands inside database queries. III. Impact Access Vector: Network exploitable Access Complexity: Medium Authentication: Privileged user account required CVSS Score: 5.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C) Malicious Odoo users with at least read-only access to accounting data could craft specific RPC packets causing the injection of arbitrary SQL commands inside database queries. Such arbitrary SQL commands could allow the attacker to read or alter the database content in any manner, usually without leaving any trace. This could include very sensitive business data or access credentials from other users. Exploiting this vulnerability requires remote network access and the credentials of a valid Odoo user on a database hosted on a vulnerable Odoo installation. Odoo S.A. is not aware of any malicious use if this vulnerability. IV. Workaround No workaround is available, but Odoo databases on which the Odoo Accounting module is not installed are not vulnerable. Please note that the Accounting module is often installed as a requirement for other modules such as Sales or Purchase Management. Odoo Online servers have been patched as soon as the correction was available. V. Solution Apply the patches corresponding to your Odoo installation, or upgrade to the latest revision, either via GitHub or by downloading the latest version from https://www.odoo.com/page/download or http://nightly.odoo.com To apply the patch, change into the main directory of your Odoo installation (the one containing "openerp" and "addons" directories), then execute the patch command, typically: patch -p0 -f