New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] ODOO-SA-2017-06-02-1 - Local file disclosure #17394

Closed
odony opened this Issue Jun 2, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@odony
Contributor

odony commented Jun 2, 2017

Security Advisory (ODOO-SA-2017-06-02-1)

Local file disclosure

Affects: Odoo 8.0, 9.0,10.0 (Community and Enterprise Editions)
Component: Core
Credits: Karim Boukabbouz from IBS North Africa and Nils Hamerlinck
References: CVE-2017-9416

Update 1 (2017-06-06) : clarification of "normal users" in section III:

Both regular non-admin user accounts and "portal user" accounts could exploit this vulnerability.

I. Background

The Odoo framework exposes an API to access files included within any
modules. This API is used for loading resources, images or source code.

The Odoo core includes features such as reports and menus that require
files accessed through this API. In some cases, these features allow
users or administrators to control the file paths to use.

II. Problem Description

This file access API (tools.file_open) did not properly sanitize the
requested file paths, and could grant access to files that did not
belong to Odoo modules.

III. Impact

Attack Vector: Network exploitable
Authentication: Required
CVSS3 Score: High :: 7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Malicious users may trick some of the components accessing this API
to request arbitrary files from the local filesystem on which Odoo is
running. At least one of these components can be used without requiring
elevated privileges (a normal user or "portal user" access is sufficient).

This could allow an attacker to read any local file that is currently
readable with the system privileges of the Odoo service.
This could include sensitive files containing passwords, etc.

Odoo S.A. is not aware of any malicious use if this vulnerability yet,
but the vulnerability was publicly disclosed by a 3rd party without
coordination with Odoo S.A.

IV. Workaround

Attackers exploiting this vulnerability can only access files readable
by the system user executing Odoo. Sensitive files might therefore be
protected by using filesystem-level permissions to block access to the
Odoo user.
It is very hard to effectively secure a system in this manner, so
applying the patch or updating is strongly recommended.

Odoo Online servers have been patched as soon as the vulnerability was
announced.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" or "odoo", and "addons"
directories), then execute the patch command, typically:

       patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

@odony odony closed this Jun 2, 2017

@odoo odoo locked and limited conversation to collaborators Jun 2, 2017

@odony odony changed the title from *reserved* to [SEC] ODOO-SA-2017-06-02-1 - Local file disclosure Jun 3, 2017

@odony odony added the Security label Jun 3, 2017

odony referenced this issue Jun 6, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.