Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.
Affects: Odoo 9.0, 10.0 (Community and Enterprise Editions) Component: website_mail Credits: Nils Hamerlinck (Trobz), Naglis Jonaitis, Andrew Grasso CVE ID: CVE-2018-14867
I. Background
Odoo's messaging engine allows visitors on the website to post messages on
existing documents. That mechanism is used to chat with unauthenticated users or
to allow portal users to comment on their documents such as orders or tickets.
This feature is limited by a security check that only allow users to post on
documents when they have received a direct secure link to the document.
II. Problem Description
A programming error in the security check of the message post feature makes it
easy to circumvent. It can also turn it into a vector for leaking limited
information about arbitrary documents.
A remote unauthenticated attacker could craft a request in order to post messages
on any document of the database which includes a message history,
as if they had been posted by the customer linked to the document.
This attack also allows the attacker to guess, by trial and error, the value of
a limited number of fields on such document. This is mitigated by the fact that
it is very time consuming and will cause messages to be posted on the document.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, applying the patch is strongly recommended.
Uninstalling the "website_mail" module can prevent exploiting this
vulnerability, at the expense of making some parts of the Odoo deployment
stop working (depending on the version and other modules installed).
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-3
Incorrect access control in the portal messaging system in Odoo Community 9.0 and 10.0 and Odoo Enterprise 9.0 and 10.0 allows remote attackers to post messages on behalf of customers, and to guess document attribute values, via crafted parameters.
Affects: Odoo 9.0, 10.0 (Community and Enterprise Editions)
Component: website_mail
Credits: Nils Hamerlinck (Trobz), Naglis Jonaitis, Andrew Grasso
CVE ID: CVE-2018-14867
I. Background
Odoo's messaging engine allows visitors on the website to post messages on
existing documents. That mechanism is used to chat with unauthenticated users or
to allow portal users to comment on their documents such as orders or tickets.
This feature is limited by a security check that only allow users to post on
documents when they have received a direct secure link to the document.
II. Problem Description
A programming error in the security check of the message post feature makes it
easy to circumvent. It can also turn it into a vector for leaking limited
information about arbitrary documents.
III. Impact
Attack Vector: Network exploitable
Authentication: No user account required
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
A remote unauthenticated attacker could craft a request in order to post messages
on any document of the database which includes a message history,
as if they had been posted by the customer linked to the document.
This attack also allows the attacker to guess, by trial and error, the value of
a limited number of fields on such document. This is mitigated by the fact that
it is very time consuming and will cause messages to be posted on the document.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, applying the patch is strongly recommended.
Uninstalling the "website_mail" module can prevent exploiting this
vulnerability, at the expense of making some parts of the Odoo deployment
stop working (depending on the version and other modules installed).
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The version 11.0 is not impacted by this vulnerability.
The text was updated successfully, but these errors were encountered: