Odoo DoS via Document Attachments

If you have the document module installed in Odoo, try uploading this .docx document as an attachment.

Chances are it will take a while.

Continuing from the previous post about Denial of Service via Odoo's XML-RPC, this is another case of easy XML-based DoS attacks in Odoo. This time - through the attachment indexing feature (enabled by the document addon), which parses .docx, .pptx, .xlsx, .ods, .odt, etc. files to extract human-readable strings from the documents to enable search through the documents. The analyzed files are XML files, and they are parsed using minidom. Which is vulnerable to the billion laughs and quadratic blowup attacks..

IIUC, the attachments are indexed as they are created/written, so a few unprivileged attack scenarios come to mind:

  • Replying to an email sent from Odoo with a malicious attachment;
  • Uploading a file from a website form (if such feature exists on the site).

Mitigations?

I've made a module which utilizes defusedxml to safely parse the analized documents and prevent the attacks. If a maliciously constructed XML is encountered, the indexing of the document is simply skipped.

You're welcome?