[6.0/6.1/7.0/Trunk] get_sys_logs function may allows arbitrary code execution
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Odoo Addons (MOVED TO GITHUB) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The Warranty information retrieval function get_sys_logs is a major vulnerability.
The function is called by model "publisher_
This function is called on a weekly basis using this cron definition:
<record id="ir_
<field name="name">Update Notification<
<field eval="True" name="active" />
<field name="user_id" ref="base.
<field name="interval_
<field name="interval_
<field name="numbercal
<field eval="False" name="doall" />
<field eval="'
<field eval="'
<field eval="'(None,)'" name="args" />
<field name="priority"
</record>
This cron is explicitly silenced in log:
if cron_mode: # we don't want to see any stack trace in cron
Except the fact that the cron send data to OpenERP SA silently.
The get_sys_logs function execute arbitrary code from an URL:
url = config.
uo = urllib2.
result = {}
try:
result = safe_eval(
finally:
uo.close()
return result
If someone corrupt the source server or DNS, code can be send to all OpenERP instances opened to Internet.
Regards
Nicolas
Related branches
- Olivier Dony (Odoo): Needs Fixing
- Alexandre Fayolle - camptocamp (community): Approve (code review, no test)
- Holger Brunn (Therp) (community): Approve (code review)
-
Diff: 43 lines (+8/-7)2 files modifiedmail/data/mail_data.xml (+1/-1)
mail/update.py (+7/-6)
- Guewen Baconnier @ Camptocamp: Disapprove
- Stefan Rijnhart (Opener): Disapprove
- Holger Brunn (Therp): Needs Fixing
- Alexandre Fayolle - camptocamp: Approve (code review, no test)
-
Diff: 43 lines (+8/-7)2 files modifiedmail/data/mail_data.xml (+1/-1)
mail/update.py (+7/-6)
tags: | added: security |
description: | updated |
information type: | Public → Private Security |
information type: | Private Security → Public Security |
description: | updated |
summary: |
- [7.0/Trunk] get_sys_logs function is a major vulnerability + [7.0/Trunk] get_sys_logs function may allows arbitrary code execution |
summary: |
- [7.0/Trunk] get_sys_logs function may allows arbitrary code execution + [6.1/7.0/Trunk] get_sys_logs function may allows arbitrary code + execution |
summary: |
- [6.1/7.0/Trunk] get_sys_logs function may allows arbitrary code + [6.0/6.1/7.0/Trunk] get_sys_logs function may allows arbitrary code execution |
Even without compromission of the server, this exposes the instance to all kinds of man in the middle attacks.
The information being sent and the answer are transmitted unencrypted and the remote server is not authenticated in any fashion. (http and not https).