dolibarr-bugtrack
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dolibarr-bugtrack] [Bug #1581] SQL injection possbile


From: Doliforge
Subject: [Dolibarr-bugtrack] [Bug #1581] SQL injection possbile
Date: Mon, 27 Oct 2014 00:59:23 +0100

Doliforge
Is this email not displaying correctly?
update email preferences.

SQL injection possbile

Latest modifications

2014-10-27 00:59 (Europe/Paris)
The bug has been corrected inside GIT sources
(http://www.github.com/Dolibarr/dolibarr).

So fix should be available with next stable release.
Changes:
  • Assigned to: 
NoneLaurent Destailleur (eldy)
  • Resolution: 
NoneFixed

Answer now

Snapshot

 Details
Submitted by:  HENRY Florian (fhenry) Submitted on:  2014-08-26 16:07
Last Modified On:  2014-08-26 16:07 
Summary:  SQL injection possbile
Description:  ulnerability Title:
Dolibarr ERP&CPM 3.5.3 - Multiple SQL Injections

Affected systems:
Dolibarr ERP&CPM 3.5.3

Description:
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database.

Details:
The following URL and parameters have been confirmed to suffer from various forms of SQL injections.

GET:

http://[IP]/dolibarr/product/stock/fiche.php?action=""> Injection> http://[IP]/dolibarr/product/stock/liste.php?sref=55<SQL Injection>&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55
address@hidden&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55<SQL" target="_blank" target="_new">http://[IP]/dolibarr/product/stock/liste.php?sref=address@hidden&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55<SQL Injection> http://[IP]/dolibarr/projet/element.php?ref=PJ1407<SQL Injection> http://[IP]/dolibarr/projet/tasks/index.php?search_project=5<SQL Injection>bqve&button_search.x=1&button_search.y=1&mode=
http://[IP]/dolibarr/compta/prelevement/demandes.php?search_societe=5<SQL Injection>&search_facture=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/comm/mailing/liste.php?sref=5<SQL Injection>&sall=5&x=1&y=1 http://[IP]/dolibarr/comm/mailing/liste.php?sref=5&sall=5<SQL Injection>&x=1&y=1 http://[IP]/dolibarr/compta/sociales/index.php?search_label=5<SQL Injection>&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/paiement/cheque/liste.php?sortfield=bc.number<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/compta/paiement/cheque/liste.php?sortfield=bc.number&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/compta/prelevement/rejets.php?sortfield=p.ref<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/compta/prelevement/rejets.php?sortfield=p.ref&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=<SQL Injection>&tobuy=&type=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=&tobuy=<SQL Injection>&type=& http://[IP]/dolibarr/product/reassort.php?toolowstock=on&snom=5&sortorder=ASC&sref=5&token=d638ca7f80a7ad68e2cf327a75f954a6&button_search.x=1&button_search.y=1&type=&search_categ=4<SQL Injection>&sortfield=stock_physique
http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=1<SQL Injection>&tobuy=&type=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=1&tobuy=<SQL Injection>&type=& http://[IP]/dolibarr/product/stats/commande_fournisseur.php?sortfield=c.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/commande_fournisseur.php?sortfield=c.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/contrat.php?sortfield=c.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/contrat.php?sortfield=c.rowid'&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/facture_fournisseur.php?sortfield=s.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/facture_fournisseur.php?sortfield=s.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/propal.php?sortfield=p.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/propal.php?sortfield=p.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stock/fiche.php?id=0<SQL Injection> http://[IP]/dolibarr/product/stock/info.php?id=0<SQL Injection> http://[IP]/dolibarr/product/stock/liste.phpsortfield=e.label&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/stock/liste.php?sortfield=e.label<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/product/reassort.php?toolowstock=on&snom=5&sortorder=ASC&sref=5<SQL Injection>&token=d638ca7f80a7ad68e2cf327a75f954a6&button_search.x=1&button_search.y=1&type=&search_categ=4&sortfield=stock_physique
http://[IP]/dolibarr/product/stock/massstockmove.php?productid=1<SQL Injection>&token=9d491e55462571d39390bd136f4f50da&id_tw=-1&action="" /> http://[IP]/dolibarr/product/stock/replenishorders.php?sortfield=cf.ref&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/stock/replenishorders.php?sortfield=cf.ref<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/projet/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/projet/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/projet/tasks/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/compta/recap-compta.php?socid=1<SQL Injection> http://[IP]/dolibarr/holiday/index.php?mainmenu=holiday&id=1<SQL Injection> http://[IP]/dolibarr/projet/tasks/contact.php?id=2&source=internal&token=acff06ed1720e3ec66a16918dcee2bfd&action=""> Injection>&withproject=1 http://[IP]/dolibarr/product/stock/fiche.php?id=1<SQL Injection> http://[IP]/dolibarr/projet/contact.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/projet/ganttview.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/product/stock/fiche.php?id=1<SQL Injection> http://[IP]/dolibarr/projet/note.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/projet/tasks/contact.php?project_ref=PJ1407-0002<SQL Injection>&withproject=1 http://[IP]/dolibarr/projet/tasks.php?ref=PJ1407-0002<SQL Injection>&mode=mine http://[IP]/dolibarr/projet/tasks/note.php?project_ref=PJ1407-0002<SQL Injection>&withproject=1 http://[IP]/dolibarr/contact/info.php?id=2<SQL Injection>&optioncss=print http://[IP]/dolibarr/societe/commerciaux.php?socid=117260852<SQL Injection>&optioncss=print http://[IP]/dolibarr/compta/dons/liste.php?statut=2<SQL Injection> http://[IP]/dolibarr/societe/rib.php?socid=1<SQL Injection>&optioncss=print http://[IP]/dolibarr/adherents/liste.php?leftmenu=members&statut=1<SQL Injection>&filter=outofdate&idmenu=9431&mainmenu=members
http://[IP]/dolibarr/product/reassort.php?sortfield=p.ref&sortorder=asc&begin=&tosell=43<SQL injection>&tobuy=&type=0&fourn_id=&snom=&sref=&
http://[IP]/dolibarr/product/reassort.php?sortfield=p.ref&sortorder=asc&begin=&tosell=&tobuy=3<SQL injection>&type=0&fourn_id=&snom=&sref=&
http://[IP]/dolhttp://[IP]/dolibarr/product/index.php?leftmenu=product&type=0<SQL injection>&idmenu=2819&mainmenu=products
http://[IP]/dolibarr/product/stats/facture.php?sortfield=s.rowid<SQL injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/facture.php?sortfield=s.rowid&sortorder=asc<SQL injection>&begin=&id=2 http://[IP]/dolibarr/user/index.php?sortfield=u.login&sortorder=asc&begin=search_user=&sall=&search_statut=<SQL injection>& http://[IP]/dolibarr/compta/bank/fiche.php?id=<SQL Injection> http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5<SQL injection>&search_societe=5&search_ligne=5&search_bon=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5<SQL injection>&search_ligne=5&search_bon=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5&search_ligne=5<SQL injection>&search_bon=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5&search_ligne=5&search_bon=5<SQL injection>&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/bons.php?sortfield=p.ref&sortorder=asc<SQL injection>&begin=& http://[IP]/dolibarr/compta/prelevement/bons.php?sortfield=p.ref<SQL injection>&sortorder=asc&begin=& http://[IP]/dolibarr/product/stats/commande.php?sortfield=c.rowid&sortorder=asc<SQL injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/commande.php?sortfield=c.rowid<SQL injection>&sortorder=asc&begin=&id=2
POST:

POST /dolibarr/product/liste.php HTTP/1.1
Host: 192.168.56.103
[...]
Cookie: DOLSESSID_bca8ba010461ef1336d17dcd7836c25c=29mufjtdcngabkspms4169dkr3

snom=address@hidden&sortorder=ASC07356377&sref=address@hidden&token=fbb496299c4898552cde8e500a4ca985&tosell=0<SQL injection>&action="" />
Impact:
An attacker would be able to exfiltrate the database, user credentials and in certain setup access the underling operating system.
___

If you have any questions, feel free to let me know.
Please be aware we ask that vendors keep us updated on their progress during our coordination prior to disclosure.

Kind regards,

Arron Dowdeswell
Portcullis Advisories
<address@hidden>
PGP Key ID: 0xF6406A85
Step to reproduce bug:  
Detected in version:  3.6.0 Category:  Security
Severity:  8 OS Type/Version:  
PHP version:   Database type and version:  
 Status
Status:  Open Assigned to:  Laurent Destailleur (eldy)
Resolution:  Fixed 

Comments

Laurent Destailleur 2014-10-27 00:59
The bug has been corrected inside GIT sources
(http://www.github.com/Dolibarr/dolibarr).

So fix should be available with next stable release.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]