Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] 2015-account-inject - SQL injection in Accounting module via RPC #7240

Closed
odony opened this issue Jun 23, 2015 · 0 comments
Closed

[SEC] 2015-account-inject - SQL injection in Accounting module via RPC #7240

odony opened this issue Jun 23, 2015 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Jun 23, 2015

Security Advisory (2015-account-inject)

SQL injection in Accounting module via RPC

Affects: All Odoo (formerly OpenERP) versions
Component: Accounting Module
Credits: Colin Newell, OpusVL

I. Background

Odoo includes an Object-Relational Mapping (ORM) subsystem,
which exposes a high-level abstraction of the underlying
database backend to the rest of the Odoo components.

The database backend is where all the business data and
configuration data is stored, and the ORM hides the low-level
details for accessing it, such as the crafting of database
queries and enforcing of access control to all resources.

The ORM also takes care of properly sanitizing user-provided data,
in order to prevent data corruption or breach by malicious users.

In some cases, for performance reasons or for very specific data
access patterns, business logic components must directly use the
lower-level database access layer without going through the regular
ORM layer. Great care must be exerted in those cases to ensure
that user-provided data is sanitized and proper access control
enforced.

II. Problem Description

The Odoo Accounting module includes functions requiring direct
use of the low-level database access layer without going through
the ORM layer.

One of these functions does not properly sanitize user-provided
data, possibly leading to data corruption or data breach by
malicious users, though the injection of arbitrary SQL commands
inside database queries.

III. Impact

Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS Score: 5.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C)

Malicious Odoo users with at least read-only access to accounting
data could craft specific RPC packets causing the injection of
arbitrary SQL commands inside database queries.

Such arbitrary SQL commands could allow the attacker to read or
alter the database content in any manner, usually without leaving
any trace. This could include very sensitive business data or
access credentials from other users.

Exploiting this vulnerability requires remote network access and
the credentials of a valid Odoo user on a database hosted on a
vulnerable Odoo installation.

Odoo S.A. is not aware of any malicious use if this vulnerability.

IV. Workaround

No workaround is available, but Odoo databases on which the Odoo
Accounting module is not installed are not vulnerable.
Please note that the Accounting module is often installed as a
requirement for other modules such as Sales or Purchase Management.

Odoo Online servers have been patched as soon as the correction was
available.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If you installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

@odony odony added Confirmed the bug was confirmed by testers OE the report is linked to a support ticket (opw-...) labels Jun 23, 2015
@odony odony closed this as completed Jun 23, 2015
@odoo odoo locked and limited conversation to collaborators Jun 23, 2015
@odony odony added Security security announcements and removed Confirmed the bug was confirmed by testers OE the report is linked to a support ticket (opw-...) labels Jun 23, 2015
@odony odony changed the title [SEC] SQL injection in Accounting module via RPC [SEC] 2015-account-inject - SQL injection in Accounting module via RPC Feb 24, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant