[Dolibarr-bugtrack] [Bug #1581] SQL injection possbile

From:	Doliforge
Subject:	[Dolibarr-bugtrack] [Bug #1581] SQL injection possbile
Date:	Mon, 27 Oct 2014 00:59:23 +0100

Is this email not displaying correctly?
update email preferences.

Dolibarr ERP & CRM » Bugs » bug #1581

SQL injection possbile

Latest modifications

Laurent Destailleur (eldy)

2014-10-27 00:59 (Europe/Paris)

The bug has been corrected inside GIT sources
(http://www.github.com/Dolibarr/dolibarr).

So fix should be available with next stable release.

Changes:

Assigned to:	~~None~~ → Laurent Destailleur (eldy)
Resolution:	~~None~~ → Fixed

Answer now

Snapshot

Details
Submitted by:	HENRY Florian (fhenry)	Submitted on:	2014-08-26 16:07
Last Modified On:	2014-08-26 16:07
Summary:	SQL injection possbile
Description:	ulnerability Title: Dolibarr ERP&CPM 3.5.3 - Multiple SQL Injections Affected systems: Dolibarr ERP&CPM 3.5.3 Description: SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. Details: The following URL and parameters have been confirmed to suffer from various forms of SQL injections. GET: http://[IP]/dolibarr/product/stock/fiche.php?action=""> Injection> http://[IP]/dolibarr/product/stock/liste.php?sref=55<SQL Injection>&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55 address@hidden&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55<SQL" target="_blank" target="_new">http://[IP]/dolibarr/product/stock/liste.php?sref=address@hidden&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55<SQL Injection> http://[IP]/dolibarr/projet/element.php?ref=PJ1407<SQL Injection> http://[IP]/dolibarr/projet/tasks/index.php?search_project=5<SQL Injection>bqve&button_search.x=1&button_search.y=1&mode= http://[IP]/dolibarr/compta/prelevement/demandes.php?search_societe=5<SQL Injection>&search_facture=5&button_search.x=1&button_search.y=1 http://[IP]/dolibarr/comm/mailing/liste.php?sref=5<SQL Injection>&sall=5&x=1&y=1 http://[IP]/dolibarr/comm/mailing/liste.php?sref=5&sall=5<SQL Injection>&x=1&y=1 http://[IP]/dolibarr/compta/sociales/index.php?search_label=5<SQL Injection>&button_search.x=1&button_search.y=1 http://[IP]/dolibarr/compta/paiement/cheque/liste.php?sortfield=bc.number<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/compta/paiement/cheque/liste.php?sortfield=bc.number&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/compta/prelevement/rejets.php?sortfield=p.ref<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/compta/prelevement/rejets.php?sortfield=p.ref&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=<SQL Injection>&tobuy=&type=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=&tobuy=<SQL Injection>&type=& http://[IP]/dolibarr/product/reassort.php?toolowstock=on&snom=5&sortorder=ASC&sref=5&token=d638ca7f80a7ad68e2cf327a75f954a6&button_search.x=1&button_search.y=1&type=&search_categ=4<SQL Injection>&sortfield=stock_physique http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=1<SQL Injection>&tobuy=&type=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=1&tobuy=<SQL Injection>&type=& http://[IP]/dolibarr/product/stats/commande_fournisseur.php?sortfield=c.rowid<SQL Injection>&sortorder=asc&begin=&id=2 http://[IP]/dolibarr/product/stats/commande_fournisseur.php?sortfield=c.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/contrat.php?sortfield=c.rowid<SQL Injection>&sortorder=asc&begin=&id=2 http://[IP]/dolibarr/product/stats/contrat.php?sortfield=c.rowid'&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/facture_fournisseur.php?sortfield=s.rowid<SQL Injection>&sortorder=asc&begin=&id=2 http://[IP]/dolibarr/product/stats/facture_fournisseur.php?sortfield=s.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/propal.php?sortfield=p.rowid<SQL Injection>&sortorder=asc&begin=&id=2 http://[IP]/dolibarr/product/stats/propal.php?sortfield=p.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stock/fiche.php?id=0<SQL Injection> http://[IP]/dolibarr/product/stock/info.php?id=0<SQL Injection> http://[IP]/dolibarr/product/stock/liste.phpsortfield=e.label&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/stock/liste.php?sortfield=e.label<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/product/reassort.php?toolowstock=on&snom=5&sortorder=ASC&sref=5<SQL Injection>&token=d638ca7f80a7ad68e2cf327a75f954a6&button_search.x=1&button_search.y=1&type=&search_categ=4&sortfield=stock_physique http://[IP]/dolibarr/product/stock/massstockmove.php?productid=1<SQL Injection>&token=9d491e55462571d39390bd136f4f50da&id_tw=-1&action="" /> http://[IP]/dolibarr/product/stock/replenishorders.php?sortfield=cf.ref&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/stock/replenishorders.php?sortfield=cf.ref<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/projet/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/projet/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/projet/tasks/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/compta/recap-compta.php?socid=1<SQL Injection> http://[IP]/dolibarr/holiday/index.php?mainmenu=holiday&id=1<SQL Injection> http://[IP]/dolibarr/projet/tasks/contact.php?id=2&source=internal&token=acff06ed1720e3ec66a16918dcee2bfd&action=""> Injection>&withproject=1 http://[IP]/dolibarr/product/stock/fiche.php?id=1<SQL Injection> http://[IP]/dolibarr/projet/contact.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/projet/ganttview.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/product/stock/fiche.php?id=1<SQL Injection> http://[IP]/dolibarr/projet/note.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/projet/tasks/contact.php?project_ref=PJ1407-0002<SQL Injection>&withproject=1 http://[IP]/dolibarr/projet/tasks.php?ref=PJ1407-0002<SQL Injection>&mode=mine http://[IP]/dolibarr/projet/tasks/note.php?project_ref=PJ1407-0002<SQL Injection>&withproject=1 http://[IP]/dolibarr/contact/info.php?id=2<SQL Injection>&optioncss=print http://[IP]/dolibarr/societe/commerciaux.php?socid=117260852<SQL Injection>&optioncss=print http://[IP]/dolibarr/compta/dons/liste.php?statut=2<SQL Injection> http://[IP]/dolibarr/societe/rib.php?socid=1<SQL Injection>&optioncss=print http://[IP]/dolibarr/adherents/liste.php?leftmenu=members&statut=1<SQL Injection>&filter=outofdate&idmenu=9431&mainmenu=members http://[IP]/dolibarr/product/reassort.php?sortfield=p.ref&sortorder=asc&begin=&tosell=43<SQL injection>&tobuy=&type=0&fourn_id=&snom=&sref=& http://[IP]/dolibarr/product/reassort.php?sortfield=p.ref&sortorder=asc&begin=&tosell=&tobuy=3<SQL injection>&type=0&fourn_id=&snom=&sref=& http://[IP]/dolhttp://[IP]/dolibarr/product/index.php?leftmenu=product&type=0<SQL injection>&idmenu=2819&mainmenu=products http://[IP]/dolibarr/product/stats/facture.php?sortfield=s.rowid<SQL injection>&sortorder=asc&begin=&id=2 http://[IP]/dolibarr/product/stats/facture.php?sortfield=s.rowid&sortorder=asc<SQL injection>&begin=&id=2 http://[IP]/dolibarr/user/index.php?sortfield=u.login&sortorder=asc&begin=search_user=&sall=&search_statut=<SQL injection>& http://[IP]/dolibarr/compta/bank/fiche.php?id=<SQL Injection> http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5<SQL injection>&search_societe=5&search_ligne=5&search_bon=5&button_search.x=1&button_search.y=1 http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5<SQL injection>&search_ligne=5&search_bon=5&button_search.x=1&button_search.y=1 http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5&search_ligne=5<SQL injection>&search_bon=5&button_search.x=1&button_search.y=1 http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5&search_ligne=5&search_bon=5<SQL injection>&button_search.x=1&button_search.y=1 http://[IP]/dolibarr/compta/prelevement/bons.php?sortfield=p.ref&sortorder=asc<SQL injection>&begin=& http://[IP]/dolibarr/compta/prelevement/bons.php?sortfield=p.ref<SQL injection>&sortorder=asc&begin=& http://[IP]/dolibarr/product/stats/commande.php?sortfield=c.rowid&sortorder=asc<SQL injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/commande.php?sortfield=c.rowid<SQL injection>&sortorder=asc&begin=&id=2 POST: POST /dolibarr/product/liste.php HTTP/1.1 Host: 192.168.56.103 [...] Cookie: DOLSESSID_bca8ba010461ef1336d17dcd7836c25c=29mufjtdcngabkspms4169dkr3 snom=address@hidden&sortorder=ASC07356377&sref=address@hidden&token=fbb496299c4898552cde8e500a4ca985&tosell=0<SQL injection>&action="" /> Impact: An attacker would be able to exfiltrate the database, user credentials and in certain setup access the underling operating system. ___ If you have any questions, feel free to let me know. Please be aware we ask that vendors keep us updated on their progress during our coordination prior to disclosure. Kind regards, Arron Dowdeswell Portcullis Advisories <address@hidden> PGP Key ID: 0xF6406A85
Step to reproduce bug:
Detected in version:	3.6.0	Category:	Security
Severity:	8	OS Type/Version:
PHP version:		Database type and version:
Status
Status:	Open	Assigned to:	Laurent Destailleur (eldy)
Resolution:	Fixed

Comments

Laurent Destailleur 2014-10-27 00:59: The bug has been corrected inside GIT sources
(http://www.github.com/Dolibarr/dolibarr).

So fix should be available with next stable release.

[Prev in Thread]

Current Thread

[Next in Thread]

[Dolibarr-bugtrack] [Bug #1581] SQL injection possbile, Doliforge <=

Prev by Date: [Dolibarr-bugtrack] [Bug #1614] Erreur lors de l'accès à l'agenda
Next by Date: [Dolibarr-bugtrack] [Bug #1612] Adding free product line line with negative qty in credit notes, doesn't give error message
Previous by thread: [Dolibarr-bugtrack] [Bug #1622] Requesting holiday than spans across two years cause high CPU usage by Apache
Next by thread: [Dolibarr-bugtrack] [Bug #1584] Database creation timeout
Index(es):
- Date
- Thread