| Vendor |
|
| Product | Dolibarr |
| Affected Version(s) | 5.0.3 probably prior |
| Tested Version(s) | 5.0.3 |
| Vulnerability Discovery | June 3, 2017 |
| Vendor Notification | June 6, 2017 |
| Advisory Publication | June 7, 2017 [without technical details] |
| Vendor Acknowledgment | June 18, 2017 |
| Vendor Fix | Partially fixed as of 5.0.4 |
| Public Disclosure | March 12, 2017 |
| Latest Modification | March 12, 2017 |
| CVE Identifier(s) | CVE-2017-9839 |
| Product Description | Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities. |
| Credits | Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group |
| Multiple SQL Injection Vulnerabilities in Dolibarr | |||
| Severity: Medium | CVSS Score: 6.3 | CWE-ID: CWE-89 | Status: Partial Fix |
| Vulnerability Description | |||
| The application Dolibarr is affected by multiple SQL injection vulnerabilities affecting version 5.0.3 and prior. These vulnerabilities could allow remote authenticated attackers to inject arbitrary SQL code. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Unchanged |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | Low | Integrity Impact | Low |
| User Interaction | None | Availability Impact | Low |
The Dolibarr web application version 5.0.3 is vulnerable to SQL injection in multiple places. Exploiting this vulnerability leads to an authenticated user being able to inject arbitrary SQL statements, e.g. to dump the entire database.
In addition, the filter in use by Dolibarr to prevent SQL injections can be easily bypassed by URL encoding SQL payloads. This can as well be automated with SQLmap and tamper script “charencode”.
The following screenshot shows the request when listing commercial proposals. To demonstrate the SQL injection vulnerability, we have inputted a single quote character in the viewstatut parameter. This resulted in a SQL error as displayed on the right side of the screenshot:
To demonstrate further the SQL injection, we have inserted “SLEEP” commands which if successfully ran by the database should delay response from the web server. The first screenshot shows the baseline request without the SLEEP command. As you can see on the bottom right corner, the response is returned in 56 milliseconds
We have then added “-SLEEP(1)” and response was returned in 4057 milliseconds
We have then added “-SLEEP(2)” and response was returned in 8059 milliseconds
/dolibarr/htdocs/product/stats/card.php?id=all&leftmenu=stats&type=[SQL STATEMENT HERE]
POST /dolibarr/htdocs/comm/propal/list.php HTTP/1.1
Host: 172.16.206.134
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Referer: http://172.16.206.134/dolibarr/htdocs/comm/propal/list.php?leftmenu=propals
Cookie: DOLSESSID_8c9db71eb2fd5bc470fdb2f0d0752f5d=9jsjp4ar13eqldf8o0mt0b0cl3
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 444
token=c6e90d6743de455a542e1c7f62141eb4&formfilteraction=list&action=list&sortfield=p.ref&sortorder=DESC&massaction=0&confirmmassaction=Confirm&limit=25&search_sale=0&search_user=-1&selectedfields=p.ref%2Cp.ref_client%2Cs.nom%2Cs.town%2Cs.zip%2Cp.date%2Cp.fin_validite%2Cp.total_ht%2Cu.login%2Cp.fk_statut%2C&search_ref=1&search_refcustomer=&search_societe=&search_town=&search_zip=&month=&year=&search_montant_ht=&search_login=&propal_statut=[SQL STATEMENT HERE]
Note: Most vulnerabilities have been fixed in Dolibarr version 5.0.4. However, the viewstatut parameter isstill vulnerable as of 7.0.0. As for parameter propal_statut, it has been renamed to search_statut in version 7.0.0 and is still vulnerable.