Dolibarr ERP/CRM OS Command Injection Vulnerability Allowing Remote Code Execution

A post-authentication operating system command injection vulnerability has been identified in the database backup feature of Dolibarr ERP/CRM versions through 3.1.1 and 3.2.0. The vulnerability arises because the export.php script does not properly sanitize the sql_compat parameter. This oversight enables authenticated users to inject arbitrary system commands, leading to remote code execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Dolibarr ERP/CRM is running.

Reproduction

To reproduce this vulnerability, an authenticated user must send a POST request to the 'admin/tools/export.php' endpoint. The request must include a crafted sql_compat parameter that injects system commands. Other required parameters include 'export_type', 'what', 'mysqldump', 'use_transaction', 'disable_fk', 'sql_structure', 'drop', 'sql_data', 'showcolumns', 'extended_ins', 'delayed', 'sql_ignore', 'hexforbinary', 'filename_template', and 'compression'. The injected command will be executed on the server, and the response can be used to verify successful exploitation.

Remediation

Users are advised to upgrade to Dolibarr versions 3.2.1 or later. For version 3.1.x, the vendor has announced a fix will be available by June 2012.