You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Odoo includes an Object-Relational Mapping (ORM) subsystem,
which exposes a high-level abstraction of the underlying
database backend to the rest of the Odoo components.
The database backend is where all the business data and
configuration data is stored, and the ORM hides the low-level
details for accessing it, such as the crafting of database
queries and enforcing of access control to all resources.
The ORM also takes care of properly sanitizing user-provided data,
in order to prevent data corruption or breach by malicious users.
In some cases, for performance reasons or for very specific data
access patterns, business logic components must directly use the
lower-level database access layer without going through the regular
ORM layer. Great care must be exerted in those cases to ensure
that user-provided data is sanitized and proper access control
enforced.
II. Problem Description
The Odoo Accounting module includes functions requiring direct
use of the low-level database access layer without going through
the ORM layer.
One of these functions does not properly sanitize user-provided
data, possibly leading to data corruption or data breach by
malicious users, though the injection of arbitrary SQL commands
inside database queries.
III. Impact
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 5.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Malicious Odoo users with at least read-only access to accounting
data could craft specific RPC packets causing the injection of
arbitrary SQL commands inside database queries.
Such arbitrary SQL commands could allow the attacker to read or
alter the database content in any manner, usually without leaving
any trace. This could include very sensitive business data or
access credentials from other users.
Exploiting this vulnerability requires remote network access and
the credentials of a valid Odoo user on a database hosted on a
vulnerable Odoo installation.
Odoo S.A. is not aware of any malicious use if this vulnerability.
IV. Workaround
No workaround is available, but Odoo databases on which the Odoo
Accounting module is not installed are not vulnerable.
Please note that the Accounting module is often installed as a
requirement for other modules such as Sales or Purchase Management.
Odoo Online servers have been patched as soon as the correction was
available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If you installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
odoo
locked and limited conversation to collaborators
Jun 23, 2015
odony
added
Security
security announcements
and removed
Confirmed
the bug was confirmed by testers
OE
the report is linked to a support ticket (opw-...)
labels
Jun 23, 2015
odony
changed the title
[SEC] SQL injection in Accounting module via RPC
[SEC] 2015-account-inject - SQL injection in Accounting module via RPC
Feb 24, 2016
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Security Advisory (2015-account-inject)
SQL injection in Accounting module via RPC
Affects: All Odoo (formerly OpenERP) versions
Component: Accounting Module
Credits: Colin Newell, OpusVL
I. Background
Odoo includes an Object-Relational Mapping (ORM) subsystem,
which exposes a high-level abstraction of the underlying
database backend to the rest of the Odoo components.
The database backend is where all the business data and
configuration data is stored, and the ORM hides the low-level
details for accessing it, such as the crafting of database
queries and enforcing of access control to all resources.
The ORM also takes care of properly sanitizing user-provided data,
in order to prevent data corruption or breach by malicious users.
In some cases, for performance reasons or for very specific data
access patterns, business logic components must directly use the
lower-level database access layer without going through the regular
ORM layer. Great care must be exerted in those cases to ensure
that user-provided data is sanitized and proper access control
enforced.
II. Problem Description
The Odoo Accounting module includes functions requiring direct
use of the low-level database access layer without going through
the ORM layer.
One of these functions does not properly sanitize user-provided
data, possibly leading to data corruption or data breach by
malicious users, though the injection of arbitrary SQL commands
inside database queries.
III. Impact
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 5.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Malicious Odoo users with at least read-only access to accounting
data could craft specific RPC packets causing the injection of
arbitrary SQL commands inside database queries.
Such arbitrary SQL commands could allow the attacker to read or
alter the database content in any manner, usually without leaving
any trace. This could include very sensitive business data or
access credentials from other users.
Exploiting this vulnerability requires remote network access and
the credentials of a valid Odoo user on a database hosted on a
vulnerable Odoo installation.
Odoo S.A. is not aware of any malicious use if this vulnerability.
IV. Workaround
No workaround is available, but Odoo databases on which the Odoo
Accounting module is not installed are not vulnerable.
Please note that the Accounting module is often installed as a
requirement for other modules such as Sales or Purchase Management.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If you installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: