Community mailing list archives

community@mail.odoo.com

Firewall security issues with Odoo

by
Daniel Reis
- 10/28/2015 09:45:35
Hello all,

I've been investigating a problem where some users complained that the
"download" (to xls) button in Pivot Tables did not work, erroring in the
Javascript code with an "Access Denied" message.

I traced it down to the firewall security rules: it turns out that these
requests triggered a "IE XSS Filters - Attack Detected" and blocked them.

In the firewall log we see several times the message below (redacted for
privacy):

2015:10:28-11:40:30 mx1-1 reverseproxy: [Wed Oct 28 11:40:30.876114
2015] [security2:error] [pid 31639:tid 3938261872] [client xx.xx.xx.xx]
ModSecurity: Rule 9122948 [id "973302"][file
"/usr/apache/conf/waf/modsecurity_crs_xss_attacks.conf"][line "309"] -
Execution error - PCRE limits exceeded (-8): (null). [hostname
"www.acme.com"] [uri "/web_graph/export_xls"] [unique_id
"VjC0LgpiawEAAHuXHm7AAABJ"]

Disabling this rule solved the problem.


Has anyone else found a similar issue?
Could this be a problem with the Odoo web client, or maybe with my
netwok configs?

Any advice would be appreciated.

Thanks is advance
Daniel Reis