Skip to Content
  2. Mailing Lists
  3. Contributors
  4. Re: Bank Account Security

Archives

Contributors

Re: Bank Account Security

Re: Bank Account Security

Re: Bank Account Security

What's more is the oca has plenty of modules already that do exactly the same thing for other functions and modules. E.g import export

And also we have similar far more severe privilege escalation issues open with odoo for many years. Truthfully they aren't that interested if it is difficult to fix and not purely a bug.

Even under enterprise contract they just send you a link saying default security rules are not meant for production, and when you explain that it is nothing to do with rules but users can do things outside their allowed privileges, crickets.



On Fri, 23 Dec 2022, 5:57 am Graeme Gellatly, <graeme@o4sb.com> wrote:
Jairo,

Sorry you are completely wrong. There is a huge difference between a conscious decision that odoo themselves has made about their own security rules and sql injections, buffer r overflow, privilege escalation etc. There is nothing to disclose, it is obvious public information already. 


On Fri, 23 Dec 2022, 12:12 am Urtzi Pérez, <notifications@odoo-community.org> wrote:
I agree with you Luis, but I think Jairo's message is important for the knowledge of every contributor.

Thank you Jairo for sharing your opinion.

Regards,

Urtzi Pérez


El jue, 22 dic 2022 a las 9:21, LuisDaniel Lafaurie (<notifications@odoo-community.org>) escribió:
Hi, Jairo, in relation to your comments about what Graeme has posted, I believe you're right when explaining the way it should have been dealt with. BUT, you're contradicting yourself by posting this message publicly and not addressing only the person who posted it in the first place, which will make the problem even bigger.

Just saying!

Regards,
Luis

   

On Thu, 22 Dec 2022, 08:57 Jairo Llopis, <notifications@odoo-community.org> wrote:
Hi Graeme, thanks for finding this security problem.

While I appreciate your intentions sincerely, I have to tell you this is not an appropriate way to do it. 😅

When dealing with security problems it's important to understand the impact of such information. There's a concept called "responsible disclosure". When you find the vulnerability, is it your responsability to report it? I consider it a yes for me. But where to report it? If there's a security hole and someone makes it public before the patch is released, they only help in doing the problem bigger. Now there's not only a problem (the bug), there are two extra problems (everybody knows the bug and nobody has the fix).

I've personally participated in fixing security holes both in Odoo and in OCA (and many contributors here too), and a good rule of thumb is: fix first, tell later. If you don't have a clear path for fixing the issue, it's better to ask specific persons through private channels than telling the world they can abuse every Odoo installation to steal money.

In the case of Odoo, here they have the responsible disclosure process for those problems, and my recommendation is that you follow it. Now the bug is public, so please do it ASAP.

Regarding the fix, modules are not meant to fix security issues. They are meant to improve the software. If there's a security problem, it must be fixed where the problem exists: in the payment module in this case AFAICS.

Thanks!

El lun, 19 dic 2022 a las 21:57, Graeme Gellatly (<notifications@odoo-community.org>) escribió:
Hi all,

During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)

Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.

On the other hand, where an account does not exist it is created during reconciliation.

My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.

So some questions
Is it a good idea?
Does it already exist?
Which repo?
For create as well?
For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?
Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe

_______________________________________________
Mailing-List: https://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: https://odoo-community.org/groups?unsubscribe

by Graeme Gellatly - 06:16 - 22 Dec 2022

Reference

  • Bank Account Security
    Hi all,

    During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)

    Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.

    On the other hand, where an account does not exist it is created during reconciliation.

    My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.

    So some questions
    Is it a good idea?
    Does it already exist?
    Which repo?
    For create as well?
    For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?
    Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.
    by Graeme Gellatly - 10:56 - 19 Dec 2022