SQL Injection in dolibarr/dolibarr


Reported on

Jan 9th 2022


The search_users parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Slow query example:

POST /dolibarr-14.0.5/htdocs/compta/sociales/list.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://dolibarr.host.com/dolibarr-14.0.5/htdocs/
Cookie: DOLSESSID_fccaaf42bd9fa1c7b06bdc9c436940dd=mo7pn9rar97v28ol5a34qe0oa0; 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 478
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Host: dolibarr.host.com
Connection: Keep-alive



A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the dolibarr team within 24 hours. 19 days ago
We have contacted a member of the dolibarr team and are waiting to hear back 18 days ago
We have sent a follow up to the dolibarr team. We will try again in 7 days. 15 days ago
Laurent Destailleur validated this vulnerability 15 days ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on b9b45f 15 days ago
Laurent Destailleur has been awarded the fix bounty