Unrestricted access to Odoo DB manager
Description
Odoo is a comprehensive suite of business management software tools. The Odoo database manager interface (/web/database/manager) provides administrative functions including database backup, restoration, duplication, and deletion. This vulnerability occurs when the database manager is publicly accessible without proper access controls, exposing sensitive administrative functionality to unauthorized users. Even when protected by a master password, public exposure of this interface significantly increases the attack surface and risk of compromise.
Remediation
Implement network-level access controls to restrict access to the Odoo database manager interface:
1. Configure your web server (Nginx/Apache) to block external access to /web/database/manager. Example Nginx configuration:
location /web/database/manager {
deny all;
return 403;
}
# Or restrict to specific IP addresses:
location /web/database/manager {
allow 192.168.1.0/24; # Internal network
allow 10.0.0.5; # Admin IP
deny all;
}
2. Set the 'list_db' parameter to 'False' in your Odoo configuration file (odoo.conf) to prevent database enumeration:
[options] list_db = False
3. Ensure a strong master password is configured using the 'admin_passwd' parameter
4. Consider using firewall rules to restrict access to the Odoo instance to trusted networks only
5. Regularly audit access logs for unauthorized access attempts to administrative endpoints