Odoo Web Client

[5.0] HTTP Request Smuggling possible in 5.0

Bug #618674 reported by Christophe CHAUVET on 2010-08-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Odoo Web Client	Fix Released	Low	Unassigned	Odoo Web Client 6.0-rc2

Bug Description

I found an issue when i configure the web client with reverse proxy

I use Chromuim (Chrome web browser) and i activate the javascript console, after login, i see the menu and in my console i see:
- Refused to set unsafe header "Connection"
- Refused to set unsafe header "Content-length"

After some search on the web, i found this article http://www.owasp.org/index.php/HTTP_Request_Smuggling and explain how to exploi this issue with embeded a second http request in the first one

Regards,

Tags:

Revision history for this message

Amit Mendapara (cristatus) wrote on 2010-08-16:

IMO, it is the responsibility of the intermediate proxy to validate the the request headers.

Regarding to those warnings, I think, it is safe to remove that part from `Ajax.post` implementation from the `static/javascript/ajax.js` file. That code is based on old MochiKit implementation, I have explored the `jQuery` implementation of a similar function and there is no such headers being set in jquery's implementation.

Revision history for this message

Christophe CHAUVET (christophe-chauvet) wrote on 2010-08-18:

I have this message as well if i not use reverse proxy

It's a general problem

Regards,

Revision history for this message

Amit Mendapara (cristatus) wrote on 2010-08-18: Re: [Bug 618674] Re: [5.0] HTTP Request Smuggling possible in 5.0

On Wed, Aug 18, 2010 at 5:28 PM, Christophe Chauvet - http://www.syleam.fr/
<email address hidden> wrote:

> Hi
>
> I have this message as well if i not use reverse proxy
>
>
In that case you should not fear of this vulnerability.

It's a general problem

I think you can safely ignore those warnings if this is not the case else
make sure that your proxy is not vulnerable to this issue.

Regards
--
Amit Mendapara

Revision history for this message

Antony Lesuisse (OpenERP) (al-openerp) wrote on 2010-12-15:

This code is not present anymore as revno 4118 so you should not get those warning anymore.
And this is not a security issue. Those headers can be used to abuse insecure proxy but it's unrelated to openerp.

Changed in openobject-client-web:
milestone:	5.0.13 → 6.0-rc2
status:	Confirmed → Fix Released

Olivier Dony (Odoo) (odo-openerp) on 2010-12-15

security vulnerability:	yes → no
visibility:	private → public
Changed in openobject-client-web:
importance:	Critical → Low

Revision history for this message

Olivier Dony (Odoo) (odo-openerp) wrote on 2010-12-15:

To be more precise: the warning you saw was just a security measure of the browser because the former Ajax library tried to set a header that cannot be manually set. This was useless and not harmful in any way, and is now removed.

The attack you refer to is simply the reason why modern browsers refuse to let the Ajax callers set these headers, and this is about a vulnerability of Proxies and Web Gateway, and is not a concern for OpenERP.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.