You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affects: Odoo 9.0 (Community and Enterprise Editions) Component: Ogone Payment module Credits: Ondřej Kuzník OVE ID: OVE-20160725-0004
I. Background
Odoo 9.0 integrates with different payment acquirers (such as Ingenico
Payment Services, formerly Ogone), in order to process payments on
the e-commerce, or to subscribe to services via recurring invoices.
In order to properly process payment confirmations from external providers,
Odoo executes some preconfigured business logic within a secure sandbox
during the finalization of each transaction.
II. Problem Description
The business code (post-completion payload) executed during the
finalization of Ogone transactions can be altered by the "Customer" this
transaction applies to, before completing the transaction, IF this
Customer is also a user with "Employee" access.
By creating real Ogone transactions (e.g. via a real eCommerce purchases),
and by injection a malicious "post-completion payload" in the transactions
before completing them, a malicious Employee could execute arbitrary
business logic with the credentials of the Administrator.
This could possibly compromise the security and integrity of the database,
or allow the attacker to obtain elevated privileges.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
No workaround is available, but only databases using the "payment_ogone"
module are vulnerable.
Odoo Online servers have been patched as soon as the correction was
available.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various hunks
from the patch files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory (2016-07b-ogone-eval)
Arbitrary code execution with Ogone transactions
Affects: Odoo 9.0 (Community and Enterprise Editions)
Component: Ogone Payment module
Credits: Ondřej Kuzník
OVE ID: OVE-20160725-0004
I. Background
Odoo 9.0 integrates with different payment acquirers (such as Ingenico
Payment Services, formerly Ogone), in order to process payments on
the e-commerce, or to subscribe to services via recurring invoices.
In order to properly process payment confirmations from external providers,
Odoo executes some preconfigured business logic within a secure sandbox
during the finalization of each transaction.
II. Problem Description
The business code (post-completion payload) executed during the
finalization of Ogone transactions can be altered by the "Customer" this
transaction applies to, before completing the transaction, IF this
Customer is also a user with "Employee" access.
III. Impact
Attack Vector: Network exploitable
Attack Complexity: Low
Authentication: "Employee" access required
CVSS3: 7.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C)
By creating real Ogone transactions (e.g. via a real eCommerce purchases),
and by injection a malicious "post-completion payload" in the transactions
before completing them, a malicious Employee could execute arbitrary
business logic with the credentials of the Administrator.
This could possibly compromise the security and integrity of the database,
or allow the attacker to obtain elevated privileges.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
No workaround is available, but only databases using the "payment_ogone"
module are vulnerable.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various hunks
from the patch files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: