Dolibarr ERP and CRM Authenticated Remote Code Execution Vulnerability via Eval Injection in User Extrafields

A remote code execution vulnerability has been identified in Dolibarr ERP and CRM versions through 22.0.2. This vulnerability arises from the user extrafields feature, where input from the 'computed value' field is sent to PHP's eval() function without proper sanitization. As a result, authenticated administrators can execute arbitrary PHP code on the server. The vulnerability is present in the file 'functions.lib.php' within the core library.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary PHP code on the server, with potential access to the file system, database, and network. This could lead to unauthorized access to sensitive information, such as database credentials and application secrets, and the creation of persistent web shells.

Reproduction

To reproduce this vulnerability, an authenticated administrator must create or edit an extrafield with 'Computed value' enabled. Malicious payloads can be injected into the 'computed value' field. Once the extrafield is saved, the injected payload is executed when the user creation page is accessed.