Community mailing list archives

community@mail.odoo.com

Odoo Security Advisory - 2015-account-inject

by
Olivier Dony (odo)
- 06/23/2015 12:45:27
Security Advisory                             2015-account-inject


Title: SQL injection in Accounting module via RPC

Affects: All Odoo (formerly OpenERP) versions
Component: Accounting Module
Credits: Colin Newell, OpusVL

GitHub: https://github.com/odoo/odoo/issues/7240


I.   Background

Odoo includes an Object-Relational Mapping (ORM) subsystem,
which exposes a high-level abstraction of the underlying
database backend to the rest of the Odoo components.

The database backend is where all the business data and
configuration data is stored, and the ORM hides the low-level
details for accessing it, such as the crafting of database
queries and enforcing of access control to all resources.

The ORM also takes care of properly sanitizing user-provided data,
in order to prevent data corruption or breach by malicious users.

In some cases, for performance reasons or for very specific data
access patterns, business logic components must directly use the
lower-level database access layer without going through the regular
ORM layer. Great care must be exerted in those cases to ensure
that user-provided data is sanitized and proper access control
enforced.


II.  Problem Description

The Odoo Accounting module includes functions requiring direct
use of the low-level database access layer without going through
the ORM layer.

One of these functions does not properly sanitize user-provided
data, possibly leading to data corruption or data breach by
malicious users, though the injection of arbitrary SQL commands
inside database queries.


III. Impact

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 5.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Malicious Odoo users with at least read-only access to accounting
data could craft specific RPC packets causing the injection of
arbitrary SQL commands inside database queries.

Such arbitrary SQL commands could allow the attacker to read or
alter the database content in any manner, usually without leaving
any trace. This could include very sensitive business data or
access credentials from other users.

Exploiting this vulnerability requires remote network access and
the credentials of a valid Odoo user on a database hosted on a
vulnerable Odoo installation.

Odoo S.A. is not aware of any malicious use if this vulnerability.


IV.  Workaround

No workaround is available, but Odoo databases on which the Odoo
Accounting module is not installed are not vulnerable.
Please note that the Accounting module is often installed as a
requirement for other modules such as Sales or Purchase Management.

Odoo Online servers have been patched as soon as the correction was
available.


V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

          patch -p0 -f