Study on Odoo Security by our partner firm
Analysis by Invesics Cyber Forensics
Charity begins from home! OdooQa started the study on its own website. Invesics.com is our business partner who handles Odoo security on our behalf and we work hand in hands! Following is the analysis where the references are taken from Odoo.com and some from wikipedia. Following are the highlights, the complete one is here.
Odoo is an all-in-one management software that offers a range of business applications that form a complete suite of enterprise management applications targeting companies of all sizes. - including CRM,website/e-commerce, billing, accounting, manufacturing, warehouse - and project management, and inventory.
• The prime benefit of Odoo is its extensible architecture. A large number of freelancers and organizations develop Odoo Apps or Modules and place them in the marketplace for sale or to be downloaded for free.
• The main Odoo components are the Open Object framework, about 30 core modules (also called official modules) and more than 5000 community modules. Most Odoo modules are available in OdooS.A' s marketplace where community could buy or download many modules for free.
• As per 9 July 2018, 15759 Apps or modules were found on the marketplace in different categories. Most modules are served in all active versions of 9.0, 10.0 and 11.0.
Below are the security practices done by Odoo team to ensure security on Odoo cloud:
• Backup and disaster recovery: Odoo provides full backups for its instances up to 3 months. Odoo also has effective disaster management practices, with worst case scenario where the users can lose maximum 24hours of work if data cannot be recovered and restores the last daily backup.
• Database security: Customer data is stored in a dedicated database, where data is not shared between clients. Data access control rules implement complete isolation between customer databases.
• Password security: Customer passwords are protected with industry standard PBKDF2+SHA512 encryption(salted + stretched for thousands of rounds).Odoo staff does not have user passwords. If you lose it, you have to reset it.
• Employee access: Odoo staff may access user accounts to fix support issues (with use of a staff authorization, not user password).
• System security: All Odoo online servers are running hardened Linux distributions. Only a few trusted Odoo engineers have clearance to remotely manage the servers. Firewall and intrusion countermeasures prevent unauthorized access.
Physical security: Security cameras are monitoring the physical data centres. Physical access to data centres where Odoo servers are located is restricted to data centre technicians only.
• Communications: All web connections to client instances are protected with 256 bit SSL encryption. Odoo servers are always under watch and patched against latest SSL vulnerabilities.
Some recent vulnerabilities in Odoo which got exploited:
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 isused.
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, incorrect access control on OAuth tokens in the OAuth module allows remote authenticated users to hijack OAuthsessions of other users.
Directory traversal vulnerability in tools.file open in Odoo 8.0, 9.0, and 10.0 allows remote authenticated users to read arbitrary local files readable by theOdoo service.
Overall, we found the following noteworthy problems:
1. Cookie Poisoning
2. Session Termination
3. Broken Access Control
4. Cross Site Access Forgery
5. Cross Site Scripting (XSS)
6. Code Injection
7. Using HTTP Connection
8. Sensitive Data Exposure
10. Cross Frame Scripting (XFS)
NEED PAPER WRITING HELP? Apa paper with subheadings example . Order NOW!!! ==> https://essaypro.co <a href=https://essaypro.co><img src="https://a.radikal.ru/a42/1805/3f/522f9047a3e7.png"></a> Descriptive essays about places Top mba essay writing websites usa How to write a church invitation Sample work resume format Esl college term paper Curriculum writer resume American revolution and french revolution essay Analyse essay Mart paper term wal <a href=http://odooqa.com/odooqa-study-on-odoo-security-by-our-partner-firm-5>Cornell applied economics and management essay</a> <a href=http://forums.fearnode.net/general-discussion/901566731/sample-resume-for-it-head-xmycp>Sample resume for it head xmycp</a> <a href=http://gurzuf-sanatoriy.ru/gallerys/?cf_er=_cf_process_5feb2dab470ca>Top research paper writer website for mba wclgj</a> <a href=https://dienmaysonganh.com/san-pham/may-bom-nuoc-chay-xang-honda-ym35.html>Cover letter examples for executive secretary fpaus</a> ef6f6c2 Esl admission paper writers for hire uk Popular best essay writing sites usa Help writing algebra research proposal HGtYUPlKMnGFW <a href=https://zenwriting.net/essaypro28/a-secret-weapon-for-essaypro-com>EssayPro</a> <b>Apa paper with subheadings example </b> <a href=https://essaypro.me>proessay</a> Thesis writers Dissertation consulting fees Popular dissertation introduction ghostwriters services for college <a href=http://maldives-travel.com.ua/hotels/central_hotel/comments.html>Professional dissertation proposal ghostwriting sites for college ildeu</a> <a href=https://www.weedsta.com/dispensary/budz-delivery/reviews/tab>3d terminator wallpaper - Critical essay on human cloning ulfzw 2021</a> <a href=https://www.ofofomedia.com/./view-post.php?successful=true&id=>I trying to write a song any ideas luddd</a> <a href=http://vaishak-udacity.appspot.com/blog/1504414031>Literature review on competitive advantage - Professional analysis essay on hacking htfed 2021</a> <a href=http://forumk.fearnode.net/general-discussion/901667798/sociology-essay-format-bpukd>Sociology essay format bpukd</a> https://bestessayservicereviews-com.blogspot.com tghuTRTjigFIr6F dissertation ttu <b>Apa paper with subheadings example </b> <a href=http://singimmanuel.org.uk/index.php/blog/185/>Chris van allsburg essay - Sample cover letter resume internship jmqwo 2021</a> <a href=http://chinajiayang998.com/lyb.asp>Buy classic english literature argumentative essay dyjev 2021</a> <a href=https://www.leveloneaz.com/?cf_er=_cf_process_602971aca48f0>Compare contrast essay essay hamlet horatio vcygs 2021</a> <a href=https://az.doctorsonline.com/askthedoctor/consult_635.html>Top custom essay editing websites for masters dnuia</a> <a href=https://essaypro.co>essay pro</a> http://forum.ls-territory.net/index.php?action=profile;area=forumprofile;u=154814 https://vvfit.com/members/dollgong0/activity/1017659/ https://maczj.com/wp-content/themes/begin52/inc/go.php?url=https://papershelps.org Educational environment pakistan essay Mia michaels and choreographer and resume Pay to do law papers <a href=http://bpx.by/sostavlenie-smet-smetyi-na-stroitelstvo-proektnyie-smetyi.html>заказать смету на ремонт квартиры</a> <a href=https://bestessayservicereview.com/edubirdie-com-review/>edubirdie com</a> http://126.96.36.199/?qa=2640&qa_1=qanon-shaman%26apos-lawyer-releases-thwarting%26apos-muffin https://www.dariomoccia.it/wiki/index.php?title=Utente:OmaG23043359366 Thesis examples for the hobbit Esl bibliography writers services for school Cover letter requesting interview examples https://www.wildlifewilly.com/topic/essay-youth-power/ https://saldogratispoker.com/showthread.php?tid=153037&pid=4059549#pid4059549 http://millefori.altervista.org/forum/viewtopic.php?f=34&t=146089&p=270725#p270725 Apa paper with subheadings example <a href=https://studybay.ws>studybay</a> https://bestessayservicereviews.wordpress.com https://saldogratispoker.com/showthread.php?tid=95105&pid=4177261#pid4177261 https://soundmaster.dp.ua/forums/topic/how-to-write-a-cd-or-dvd/#post-461031 https://lacedhair.com/blogs/stories/79202374-happy-thanksgiving?comment=121540477012#comments <a href=https://try.themeum.com/plugins/wp-crowdfunding/2/>Guide writing dissertation methodology jhjxf</a> <a href=http://dx1023.com/blog/2/>Are footballers overpaid essay iqjqt</a> <a href=http://fkmz.webmaestro.cz/diskuze.php>Classicism and positivism essay pilkr</a> <a href=https://redbricks.games/home/legend-of-keepers-130/comments>Professional expository essay ghostwriting website uk hxaqn</a> <b>Apa paper with subheadings example </b> <a href=http://biorigen.mx/./leer_mas.php?id=>Counter argument for too much homework</a> <a href=http://liquidstudios360.com/blog/13/17/servant-leaders-us-south-africa-dr-lance-buhl.html>Compare and contrast essay owl xinwi</a> <a href=http://nfd.com.tw/62/62-board/default.asp>Top critical essay editor sites for university tvsat</a> <a href=https://shinobu007.blog.ss-blog.jp/2021-05-03?comment_success=2021-05-17T10:47:37&time=1621216057>Essay on the importance of saving water</a> Cheap masters home work assistance Example of essay for primary school Popular papers editor websites uk <b>Apa paper with subheadings example </b> <a href=https://gemastic.com/index.php/blog/post/1/joomla-como-herramienta>Language homework ideas acspg 2021</a> <a href=https://wildmandesign.com/?cf_er=_cf_process_5ffca10854b58>Conclusion about academic writing lbyqq</a> <a href=http://www.pen-als-lotgenoot.nl/index.php?page=gastenboek/>Diploma on resume</a> <a href=http://www.0909kuruma.com/mb/kuchikomi/confirm.php?sid=6949c2cbd011d4a775396ee8fac8d571>Pay to do professional rhetorical analysis essay on lincoln</a> <a href=http://ngeek.co/index.php/blogs-news/ngeek-blog/post/4/>Cheap book review writing service for school</a> <a href=http://forump.fearnode.net/general-discussion/902041868/cheap-case-study-editor-websites-au-ogajg>Cheap case study editor websites au ogajg</a>