If you have the
document module installed in Odoo, try uploading this .docx document as an attachment.
Chances are it will take a while.
Continuing from the previous post
about Denial of Service via Odoo's XML-RPC, this is another case of easy
XML-based DoS attacks in Odoo. This time - through the attachment indexing
feature (enabled by the
document addon), which parses .docx, .pptx,
.xlsx, .ods, .odt, etc. files to extract human-readable strings from
the documents to enable search through the documents. The analyzed files are
XML files, and they are parsed using
to the billion laughs
and quadratic blowup attacks..
IIUC, the attachments are indexed as they are created/written, so a few unprivileged attack scenarios come to mind:
- Replying to an email sent from Odoo with a malicious attachment;
- Uploading a file from a website form (if such feature exists on the site).
I've made a module which utilizes defusedxml to safely parse the analized documents and prevent the attacks. If a maliciously constructed XML is encountered, the indexing of the document is simply skipped.