Contributors mailing list archives
Re: Bank Account Securityby
Open for Small Business, Graeme Gellatly
Sorry you are completely wrong. There is a huge difference between a conscious decision that odoo themselves has made about their own security rules and sql injections, buffer r overflow, privilege escalation etc. There is nothing to disclose, it is obvious public information already.
On Fri, 23 Dec 2022, 12:12 am Urtzi Pérez, <firstname.lastname@example.org> wrote:
I agree with you Luis, but I think Jairo's message is important for the knowledge of every contributor.Thank you Jairo for sharing your opinion.
Urtzi PérezEl jue, 22 dic 2022 a las 9:21, LuisDaniel Lafaurie (<email@example.com>) escribió:Hi, Jairo, in relation to your comments about what Graeme has posted, I believe you're right when explaining the way it should have been dealt with. BUT, you're contradicting yourself by posting this message publicly and not addressing only the person who posted it in the first place, which will make the problem even bigger.Just saying!Regards,LuisOn Thu, 22 Dec 2022, 08:57 Jairo Llopis, <firstname.lastname@example.org> wrote:Hi Graeme, thanks for finding this security problem.While I appreciate your intentions sincerely, I have to tell you this is not an appropriate way to do it. 😅When dealing with security problems it's important to understand the impact of such information. There's a concept called "responsible disclosure". When you find the vulnerability, is it your responsability to report it? I consider it a yes for me. But where to report it? If there's a security hole and someone makes it public before the patch is released, they only help in doing the problem bigger. Now there's not only a problem (the bug), there are two extra problems (everybody knows the bug and nobody has the fix).I've personally participated in fixing security holes both in Odoo and in OCA (and many contributors here too), and a good rule of thumb is: fix first, tell later. If you don't have a clear path for fixing the issue, it's better to ask specific persons through private channels than telling the world they can abuse every Odoo installation to steal money.In the case of Odoo, here they have the responsible disclosure process for those problems, and my recommendation is that you follow it. Now the bug is public, so please do it ASAP.Regarding the fix, modules are not meant to fix security issues. They are meant to improve the software. If there's a security problem, it must be fixed where the problem exists: in the payment module in this case AFAICS.Thanks!El lun, 19 dic 2022 a las 21:57, Graeme Gellatly (<email@example.com>) escribió:Hi all,During an evaluation of OCA payment order module we discovered a critical default security issue in Odoo. (Note this is V14, but I doubt Odoo did anything)Fundamentally, anybody with Contact Creation rights has unfettered access to bank accounts (res.partner.bank). Of course the issue here is with payment orders or any sort of manual/automatic payment upload where the account comes from Odoo as anyone with those rights can just change the account of a large supplier, get paid, move to Caymans.On the other hand, where an account does not exist it is created during reconciliation.My gut feel is I want to create a simple security addon which just restricts who can Edit/Delete bank accounts. Maybe create too if I can find the creates and work around them.So some questionsIs it a good idea?Does it already exist?Which repo?For create as well?For advisor rights (I think nearly all with advisor rights will be members of professional accounting bodies and bound to professional standards OR a business principal) or a new group?Only for automated payment scenarios or by default? my gut says actually this is a big issue and should be default.