Security Research & Advisories

Multiple SQL Injection Vulnerabilities in Dolibarr

Product Dolibarr
Affected Version(s) 5.0.3 probably prior
Tested Version(s) 5.0.3
Vulnerability Discovery June 3, 2017
Vendor Notification June 6, 2017
Advisory Publication June 7, 2017 [without technical details]
Vendor Acknowledgment June 18, 2017
Vendor Fix Partially fixed as of 5.0.4
Public Disclosure March 12, 2017
Latest Modification March 12, 2017
CVE Identifier(s) CVE-2017-9839
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Yann Chalençon, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Multiple SQL Injection Vulnerabilities in Dolibarr
Severity: Medium CVSS Score: 6.3 CWE-ID: CWE-89 Status: Partial Fix
Vulnerability Description
The application Dolibarr is affected by multiple SQL injection vulnerabilities affecting version 5.0.3 and prior. These vulnerabilities could allow remote authenticated attackers to inject arbitrary SQL code.
CVSS Base Score
Attack Vector Network Scope Unchanged
Attack Complexity Low Confidentiality Impact Low
Privileges Required Low Integrity Impact Low
User Interaction None Availability Impact Low


The Dolibarr web application version 5.0.3 is vulnerable to SQL injection in multiple places. Exploiting this vulnerability leads to an authenticated user being able to inject arbitrary SQL statements, e.g. to dump the entire database.

In addition, the filter in use by Dolibarr to prevent SQL injections can be easily bypassed by URL encoding SQL payloads. This can as well be automated with SQLmap and tamper script “charencode”.

The following screenshot shows the request when listing commercial proposals. To demonstrate the SQL injection vulnerability, we have inputted a single quote character in the viewstatut parameter. This resulted in a SQL error as displayed on the right side of the screenshot:

To demonstrate further the SQL injection, we have inserted “SLEEP” commands which if successfully ran by the database should delay response from the web server. The first screenshot shows the baseline request without the SLEEP command. As you can see on the bottom right corner, the response is returned in 56 milliseconds

We have then added “-SLEEP(1)” and response was returned in 4057 milliseconds

We have then added “-SLEEP(2)” and response was returned in 8059 milliseconds

Other affected pages & parameters:

/htdocs/product/stats/card.php #type

/dolibarr/htdocs/product/stats/card.php?id=all&leftmenu=stats&type=[SQL STATEMENT HERE]

/dolibarr/htdocs/comm/propal/list.php #propal_statut

POST /dolibarr/htdocs/comm/propal/list.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
DNT: 1
Cookie: DOLSESSID_8c9db71eb2fd5bc470fdb2f0d0752f5d=9jsjp4ar13eqldf8o0mt0b0cl3
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 444

token=c6e90d6743de455a542e1c7f62141eb4&formfilteraction=list&action=list&sortfield=p.ref&sortorder=DESC&massaction=0&confirmmassaction=Confirm&limit=25&search_sale=0&search_user=-1&[SQL STATEMENT HERE]

Note: Most vulnerabilities have been fixed in Dolibarr version 5.0.4. However, the viewstatut parameter isstill vulnerable as of 7.0.0. As for parameter propal_statut, it has been renamed to search_statut in version 7.0.0 and is still vulnerable.