Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SEC] 2016-07b-ogone-eval - Arbitrary code execution with Ogone transactions #13180

Closed
odony opened this issue Aug 17, 2016 · 0 comments
Closed

[SEC] 2016-07b-ogone-eval - Arbitrary code execution with Ogone transactions #13180

odony opened this issue Aug 17, 2016 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Aug 17, 2016

Security Advisory (2016-07b-ogone-eval)

Arbitrary code execution with Ogone transactions

Affects: Odoo 9.0 (Community and Enterprise Editions)
Component: Ogone Payment module
Credits: Ondřej Kuzník
OVE ID: OVE-20160725-0004

I. Background

Odoo 9.0 integrates with different payment acquirers (such as Ingenico
Payment Services, formerly Ogone), in order to process payments on
the e-commerce, or to subscribe to services via recurring invoices.

In order to properly process payment confirmations from external providers,
Odoo executes some preconfigured business logic within a secure sandbox
during the finalization of each transaction.

II. Problem Description

The business code (post-completion payload) executed during the
finalization of Ogone transactions can be altered by the "Customer" this
transaction applies to, before completing the transaction, IF this
Customer is also a user with "Employee" access.

III. Impact

Attack Vector: Network exploitable
Attack Complexity: Low
Authentication: "Employee" access required
CVSS3: 7.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C)

By creating real Ogone transactions (e.g. via a real eCommerce purchases),
and by injection a malicious "post-completion payload" in the transactions
before completing them, a malicious Employee could execute arbitrary
business logic with the credentials of the Administrator.

This could possibly compromise the security and integrity of the database,
or allow the attacker to obtain elevated privileges.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV. Workaround

No workaround is available, but only databases using the "payment_ogone"
module are vulnerable.

Odoo Online servers have been patched as soon as the correction was
available.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various hunks
from the patch files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 9.0: rev. 0e104a1
  • 9.0-ent (Enterprise): see 9.0.
@odony odony added the Security security announcements label Aug 17, 2016
@odoo odoo locked and limited conversation to collaborators Aug 17, 2016
@odony odony closed this as completed Aug 17, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Security security announcements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@odony