Security Research & Advisories

Unrestricted Upload of File with Dangerous Type in Dolibarr

Product Dolibarr
Affected Version(s) 5.0.3 probably prior
Tested Version(s) 5.0.3
Vulnerability Discovery June 3, 2017
Vendor Notification June 6, 2017
Advisory Publication June 7, 2017 [without technical details]
Vendor Acknowledgment June 6, 2017
Vendor Fix Fixed as of 5.0.4
Public Disclosure March 12, 2017
Latest Modification March 12, 2017
CVE Identifier(s) CVE-2017-9840
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Unrestricted Upload of File with Dangerous Type
Severity: High CVSS Score: 8.8 CWE-ID: CWE-434 Status: Closed
Vulnerability Description
The application Dolibarr 5.0.3 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact High
Privileges Required Low Integrity Impact High
User Interaction None Availability Impact High


Dolibarr application allows low-privilege users to upload files. However, the application does not whitelist only certain type of files (e.g. PDF, JPG, PNG, DOCX, etc), instead, any type of files can be uploaded to the filesystem via the application.

When uploading a file with extension “.php”, the application automatically append the extension “.noexe”. Unfortunately, this mechanism can be bypassed by editing the file’s name after upload and removing the noexe extension as described in the screenshots below:

The following screenshot shows the upload of a PHP webshell:

The following screenshot shows the upload was successful and as previously explained, the application added the “noexe” extension preventing the file from executing. However, the application allows us to modify the file’s name by clicking in the edit button shown by the red arrow:

We can now remove the “.noexe” extension:

Removing the extension was successful as shown in the screenshot below:

We can now call the webshell and use it to run command on the web server:

Note: This vulnerability has been fixed in version 5.0.4