New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SEC] OCA-2018-08-08-1 - Denial of Service via dbfilter_from_header #1335
Comments
dbfilter_from_header|
Hi @nilshamerlinck IMHO another issue is to apply monkey patch if the module is not installed. Could you check it, please? |
moylop260
added a commit
to vauxoo-dev/maintainer-tools
that referenced
this issue
Aug 10, 2018
See example OCA/server-tools#1340 Continuation from OCA#196 Reduce the risks about issues related like: OCA/server-tools#1335
|
We need consider these kind of cases for our guidelines: |
trobz-git-mirror
pushed a commit
to trobz/odoo-production
that referenced
this issue
Nov 12, 2018
trobz-git-mirror
pushed a commit
to trobz/odoo-production
that referenced
this issue
Nov 12, 2018
[SEC] update security for OCA/server-tools#1335 See merge request project/lalouve!638
bodedra
pushed a commit
to ursais/maintainer-tools
that referenced
this issue
Dec 1, 2018
See example OCA/server-tools#1340 Continuation from OCA#196 Reduce the risks about issues related like: OCA/server-tools#1335
bodedra
pushed a commit
to ursais/maintainer-tools
that referenced
this issue
Jan 10, 2019
See example OCA/server-tools#1340 Continuation from OCA#196 Reduce the risks about issues related like: OCA/server-tools#1335
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Security Advisory (OCA-2018-08-08-1)
Denial of Service via
dbfilter_from_headerAffects: Odoo 8.0, 9.0, 10.0, 11.0 servers:
dbfilter_from_headermodule available in the addons pathCredits: Nils Hamerlinck (Trobz)
CVE-ID: CVE-2018-14733
I. Background
dbfilter_from_headermodule from OCA'sserver-toolsrepository allows to take into account a specific HTTP header in the request (X-Odoo-dbfilterorX-Openerp-dbfilter, depending on the version) to define the dbfilter applying to the instance.This is useful when you have one instance with multiple databases whose names don't match with the target domain names.
II. Problem Description
In a normal use case this HTTP header is set by the system administrator at the reverse proxy level (nginx); module is added to the
server_wide_modulesconfig parameter and installed.But the module contains a
static/directory, which had the unexpected effect of trigerring its inconditional loading, even when not intended to be used: not added to theserver_wide_modulesnor installed.III. Impact
Attack Vector: Network exploitable
Authentication: Not Required
CVSS3 Score: High :: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
So by just having it available in its addons path, the instance would load
dbfilter_from_header.An attacker could define a
X-Odoo-dbfilter/X-Openerp-dbfilterheader that would be evaluated as the db_filter regular expression.By crafting a voluntarily inefficient regular expression, he could lead Odoo to DoS (aka "ReDoS"):
limit_time_cpu).IV. Workaround
X-Odoo-dbfilterheader to.*(or any relevant stricter regex for the concerned host):proxy_set_header X-Odoo-dbfilter ^.*\Z;V. Solution
dbfilter_from_headersource code.proxy_mode = TrueX-Odoo-dbfilterheader is properly defined at reverse proxy levelserver_wide_modulesVI. Correction details
The following list contains the revisions after which the vulnerability is corrected:
The text was updated successfully, but these errors were encountered: