[5.0] HTTP Request Smuggling possible in 5.0

Bug #618674 reported by Christophe CHAUVET
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Odoo Web Client
Fix Released
Low
Unassigned

Bug Description

Hi

I found an issue when i configure the web client with reverse proxy

I use Chromuim (Chrome web browser) and i activate the javascript console, after login, i see the menu and in my console i see:
- Refused to set unsafe header "Connection"
- Refused to set unsafe header "Content-length"

After some search on the web, i found this article http://www.owasp.org/index.php/HTTP_Request_Smuggling and explain how to exploi this issue with embeded a second http request in the first one

Regards,

Revision history for this message
Amit Mendapara (cristatus) wrote :

IMO, it is the responsibility of the intermediate proxy to validate the the request headers.

Regarding to those warnings, I think, it is safe to remove that part from `Ajax.post` implementation from the `static/javascript/ajax.js` file. That code is based on old MochiKit implementation, I have explored the `jQuery` implementation of a similar function and there is no such headers being set in jquery's implementation.

Revision history for this message
Christophe CHAUVET (christophe-chauvet) wrote :

Hi

I have this message as well if i not use reverse proxy

It's a general problem

Regards,

Revision history for this message
Amit Mendapara (cristatus) wrote : Re: [Bug 618674] Re: [5.0] HTTP Request Smuggling possible in 5.0

On Wed, Aug 18, 2010 at 5:28 PM, Christophe Chauvet - http://www.syleam.fr/
<email address hidden> wrote:

> Hi
>
> I have this message as well if i not use reverse proxy
>
>
In that case you should not fear of this vulnerability.

It's a general problem

I think you can safely ignore those warnings if this is not the case else
make sure that your proxy is not vulnerable to this issue.

Regards
--
Amit Mendapara

Revision history for this message
Antony Lesuisse (OpenERP) (al-openerp) wrote :

This code is not present anymore as revno 4118 so you should not get those warning anymore.
And this is not a security issue. Those headers can be used to abuse insecure proxy but it's unrelated to openerp.

Changed in openobject-client-web:
milestone: 5.0.13 → 6.0-rc2
status: Confirmed → Fix Released
security vulnerability: yes → no
visibility: private → public
Changed in openobject-client-web:
importance: Critical → Low
Revision history for this message
Olivier Dony (Odoo) (odo-openerp) wrote :

To be more precise: the warning you saw was just a security measure of the browser because the former Ajax library tried to set a header that cannot be manually set. This was useless and not harmful in any way, and is now removed.

The attack you refer to is simply the reason why modern browsers refuse to let the Ajax callers set these headers, and this is about a vulnerability of Proxies and Web Gateway, and is not a concern for OpenERP.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.