** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of OpenERP Indian Team, which is subscribed to OpenERP Addons. https://bugs.launchpad.net/bugs/1116226
Title: [7.0] Remote File/URL Access via "LinkedIn Integration" module + privilege escalation Status in OpenERP Addons (modules): Fix Released Bug description: == SECURITY ADVISORY == Title: Remote File/URL Access via "LinkedIn Integration" module Affects: OpenERP 7.0 only Component: OpenERP Addons Module: web_linkedin Credit: Bastian Ike CVE ID: 2013-1657 (to be published) I. Confidentiality The content of this security advisory was released early on 2013-02-11 to subscribers of an OpenERP Enterprise contract (OE). In the mean time, this issue was not disclosed or discussed on public channels. II. Background OpenERP is remotely accessible using remote procedure call (RPC) protocols, in order to communicate with the OpenERP user interface or with external systems. These RPC interfaces grant access to the business logic provided by OpenERP modules (also known as Apps or addons). This allows calling the business logic of OpenERP using external programs, including with other parameters than those typically used by the OpenERP user interface. OpenERP 7.0 comes with a new "LinkedIn Integration" module (web_linkedin) that can automatically fill in new Contact details based on the information published on LinkedIn. III. Problem Description The web_linkedin module did not properly verify the parameters passed to one of its RPC methods, allowing an attacker to remotely access local files on the server on which OpenERP is running, or to relay HTTP requests to arbitrary URLs. OpenERP 7.0 systems where the web_linkedin module is present but not installed may also be vulnerable. IV. Impact Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit An attacker could pass a specially-crafted JSON-RPC request to the vulnerable method and ask for the contents of any local file or remote URL, with or without being authenticated. Local files requested through this vulnerability may contain sensitive information such as passwords that could allow the user to gain elevated privileges on OpenERP or on the server machine itself. The attacker could also use the OpenERP system as an "open web proxy", effectively avoiding network traceability when accessing or abusing other websites. Exploiting this vulnerability only requires remote network access to the vulnerable OpenERP system. OpenERP S.A. is not aware of any malicious use of this vulnerability yet. V. Workaround Deleting the web_linkedin directory in the local modules repository then restarting the OpenERP server will prevent exploiting this vulnerability, but may damage your installation. This option should only be used if applying the patch or updating the installation is truly impossible, and must be performed by personnel experienced with OpenERP administration. Please also note that: - 7.0 systems where the web_linkedin module is not installed may also be vulnerable as long as the web_linkedin module is present in the local modules (i.e. in one of the `addons_path` entries). - Systems based on the OpenERP 7.0 Windows All-In-One installer are not vulnerable unless the web_linkedin module was installed on at least one database. On such installations modules are only downloaded when they are installed. - All OpenERP Online servers have been patched as soon as the correction was available. VI. Solution Apply the attached patch, or upgrade to an OpenERP 7.0 version after the correction date, either via Bazaar or by downloading the latest version from https://www.openerp.com or http://nightly.openerp.com/7.0/nightly To apply the patch, change into the root directory of your addons installation, then execute the patch command, such as: patch -p0 -f < /path/to/the_patch_file.patch VII. Correction details The following list contains the revision number of 7.0 series of `openobject-addons' after which the vulnerability is corrected. ------------------------------------------------------------------------- - 7.0 series revno: 8669 revision-id: [email protected] == ORIGINAL DESCRIPTION FROM REPORTER == The web_linkedin addon in OpenERP 7 contains a critical security issue. class Binary(openerp.addons.web.http.Controller): _cp_path = "/web_linkedin/binary" @openerp.addons.web.http.jsonrequest def url2binary(self, req,url): bfile = urllib2.urlopen(url) return base64.b64encode(bfile.read()) Anyone can just open /web_linkedin/binary/url2binary and pass any URL which will be loaded from the server and the result is send to the user. This let's an attacker abuse the OpenERP Server to hide his IP from attacks (like DDOS) to other servers or let him access internal resources inside the companys network. PoC: In [1]: import jsonrpclib In [2]: import base64 In [3]: base64.b64decode(jsonrpclib.Server('http://SERVER:PORT/web_linkedin/binary/url2binary').call(url="http://checkip.dyndns.com:8245/";)) Out[3]: '<html><head><title>Current IP Check</title></head><body>Current IP Address: 11.22.33.44</body></html>\r\n' I'm not sure if openerp-web is the right project, if not, please move it. If you need further information please let me know (here or via skype: bastian.ike). To manage notifications about this bug go to: https://bugs.launchpad.net/openobject-addons/+bug/1116226/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openerp-india Post to : [email protected] Unsubscribe : https://launchpad.net/~openerp-india More help : https://help.launchpad.net/ListHelp
