Open timodenissen opened 2 years ago
When setting a logger to debug, the user's password is logged in plaintext after the initial connection is set up.
PoC:
import odoorpc import logging logger = logging.getLogger() logger.setLevel(logging.DEBUG) hostname = input("hostname: ") method = "jsonrpc" port = 8169 database = input("database: ") username = input("username: ") password = input("password: ") logging.debug("starting connection") con = odoorpc.ODOO(hostname, method, port) con.login(database, username, password) con.execute( "res.partner", "search_read", [('id', '=', 1)], ['id'] )
method can be both jsonrpc or jsonrpc+ssl and port can be any valid Odoo or reverse proxy port.
method
jsonrpc
jsonrpc+ssl
port
The above results in:
hostname: 10.200.23.3 database: database_name username: username password: super_secret_password DEBUG:root:starting connection DEBUG:odoorpc.rpc.jsonrpclib:(JSON,send) https://10.200.23.3:8169/web/webclient/version_info {'jsonrpc': '2.0', 'method': 'call', 'params': {}, 'id': 879508241} DEBUG:odoorpc.rpc.jsonrpclib:(JSON,recv) https://10.200.23.3:8169/web/webclient/version_info {'jsonrpc': '2.0', 'method': 'call', 'params': {}, 'id': 879508241} => {'jsonrpc': '2.0', 'id': 879508241, 'result': {'server_version': '14.0+e-20211126', 'server_version_info': [14, 0, 0, 'final', 0, 'e'], 'server_serie': '14.0', 'protocol_version': 1}} DEBUG:odoorpc.rpc.jsonrpclib:(JSON,send) https://10.200.23.3:8169/web/session/authenticate {'jsonrpc': '2.0', 'method': 'call', 'params': {'db': 'database_name', 'login': 'username', 'password': '**********'}, 'id': 100563349} DEBUG:odoorpc.rpc.jsonrpclib:(JSON,recv) https://10.200.23.3:8169/web/session/authenticate {'jsonrpc': '2.0', 'method': 'call', 'params': {'db': 'database_name', 'login': 'username', 'password': '**********'}, 'id': 100563349} => {'jsonrpc': '2.0', 'id': 100563349, 'result': {'uid': 341, 'is_system': False, 'is_admin': False, 'user_context': {'lang': 'en_US', 'tz': 'Europe/Berlin', 'uid': 341}, 'db': 'database_name', 'server_version': '14.0+e-20211126', 'server_version_info': [14, 0, 0, 'final', 0, 'e'], 'name': 'John Doe', 'username': 'username', 'partner_display_name': 'Example Company, John Doe', 'company_id': 1, 'partner_id': 196008, 'web.base.url': 'http://localhost:8069', 'active_ids_limit': 20000, 'max_file_upload_size': 134217728, 'user_companies': {'current_company': [1, 'Example Company'], 'allowed_companies': [[1, 'Example Company']]}, 'currencies': {'5': {'symbol': 'CHF', 'position': 'after', 'digits': [69, 2]}, '1': {'symbol': '€', 'position': 'after', 'digits': [69, 2]}, '2': {'symbol': '$', 'position': 'before', 'digits': [69, 2]}}, 'show_effect': 'True', 'display_switch_company_menu': False, 'cache_hashes': {'load_menus': '8a32d6233210c1a64f7f2fe20fa31b88699e4bad13138f7c82c385d4d8119908', 'qweb': '5f01507b1f0131aa08ca989d88a79694d9b6ad1c2f83b0d3490e4d337e6a2418', 'translations': '4d10653cd680e5a0727ac1a9880e46d09d67e907'}, 'user_id': [341], 'max_time_between_keys_in_ms': 55, 'company_currency_id': 1, 'companies_currency_id': {'1': 1}, 'warning': 'user', 'expiration_date': '2022-08-01 00:00:00', 'expiration_reason': 'renewal', 'notification_type': 'email', 'map_box_token': False, 'odoobot_initialized': True, 'ocn_token_key': False, 'fcm_project_id': False, 'inbox_action': 114, 'timesheet_uom': {'id': 6, 'name': 'Hours', 'rounding': 0.01, 'timesheet_widget': 'float_time'}, 'timesheet_uom_factor': 1.0}} DEBUG:odoorpc.rpc.jsonrpclib:(JSON,send) https://10.200.23.3:8169/jsonrpc {'jsonrpc': '2.0', 'method': 'call', 'params': {'service': 'object', 'method': 'execute', 'args': ['database_name', 341, 'super_secret_password', 'res.partner', 'search_read', [('id', '=', 1)], ['id']]}, 'id': 625924402} DEBUG:odoorpc.rpc.jsonrpclib:(JSON,recv) https://10.200.23.3:8169/jsonrpc {'jsonrpc': '2.0', 'method': 'call', 'params': {'service': 'object', 'method': 'execute', 'args': ['database_name', 341, 'super_secret_password', 'res.partner', 'search_read', [('id', '=', 1)], ['id']]}, 'id': 625924402} => {'jsonrpc': '2.0', 'id': 625924402, 'result': [{'id': 1}]}
First witnessed in version 0.6.0, reproducable in 0.8.0.
Depending if the module is used on a server this could lead to possibly leaked passwords.
When setting a logger to debug, the user's password is logged in plaintext after the initial connection is set up.
PoC:
method
can be bothjsonrpc
orjsonrpc+ssl
andport
can be any valid Odoo or reverse proxy port.The above results in:
First witnessed in version 0.6.0, reproducable in 0.8.0.
Depending if the module is used on a server this could lead to possibly leaked passwords.