SQL Injection in dolibarr/dolibarr


Reported on

Jan 9th 2022


The search_users parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Slow query example:

POST /dolibarr-14.0.5/htdocs/compta/sociales/list.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://dolibarr.host.com/dolibarr-14.0.5/htdocs/
Cookie: DOLSESSID_fccaaf42bd9fa1c7b06bdc9c436940dd=mo7pn9rar97v28ol5a34qe0oa0; 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 478
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Host: dolibarr.host.com
Connection: Keep-alive



A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data

We are processing your report and will contact the dolibarr team within 24 hours. a year ago
We have contacted a member of the dolibarr team and are waiting to hear back a year ago
We have sent a follow up to the dolibarr team. We will try again in 7 days. a year ago
Laurent Destailleur validated this vulnerability a year ago
laladee has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed in 14.0.6 with commit b9b45f a year ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation