| Vendor |
|
| Product | Dolibarr |
| Affected Version(s) | 5.0.3 probably prior |
| Tested Version(s) | 5.0.3 |
| Vulnerability Discovery | June 3, 2017 |
| Vendor Notification | June 6, 2017 |
| Advisory Publication | June 7, 2017 [without technical details] |
| Vendor Acknowledgment | June 6, 2017 |
| Vendor Fix | Fixed as of 5.0.4 |
| Public Disclosure | March 12, 2017 |
| Latest Modification | March 12, 2017 |
| CVE Identifier(s) | CVE-2017-9840 |
| Product Description | Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities. |
| Credits | Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group |
| Unrestricted Upload of File with Dangerous Type | |||
| Severity: High | CVSS Score: 8.8 | CWE-ID: CWE-434 | Status: Closed |
| Vulnerability Description | |||
| The application Dolibarr 5.0.3 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within the context of the vulnerable application. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Unchanged |
| Attack Complexity | Low | Confidentiality Impact | High |
| Privileges Required | Low | Integrity Impact | High |
| User Interaction | None | Availability Impact | High |
Dolibarr application allows low-privilege users to upload files. However, the application does not whitelist only certain type of files (e.g. PDF, JPG, PNG, DOCX, etc), instead, any type of files can be uploaded to the filesystem via the application.
When uploading a file with extension “.php”, the application automatically append the extension “.noexe”. Unfortunately, this mechanism can be bypassed by editing the file’s name after upload and removing the noexe extension as described in the screenshots below:
The following screenshot shows the upload of a PHP webshell:
The following screenshot shows the upload was successful and as previously explained, the application added the “noexe” extension preventing the file from executing. However, the application allows us to modify the file’s name by clicking in the edit button shown by the red arrow:
We can now remove the “.noexe” extension:
Removing the extension was successful as shown in the screenshot below:
We can now call the webshell and use it to run command on the web server:
Note: This vulnerability has been fixed in version 5.0.4