Dolibarr ODT to PDF Conversion Process OS Command Injection Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability has been identified in Dolibarr versions prior to 23.0.0. The issue arises in the ODT to PDF conversion process, where the 'MAIN_ODT_AS_PDF' configuration constant is concatenated directly into a shell command executed via 'exec()' without proper sanitization. This flaw allows an authenticated administrator to inject arbitrary operating system commands, which are executed as the web server user, whenever an ODT template is generated.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running under the privileges of the web server user, typically 'www-data'. This could lead to reading sensitive files, modifying application code, and potentially compromising the entire system, depending on the server's configuration.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the 'Home' -> 'Setup' -> 'Other Setup' section. Inject a payload into the 'MAIN_ODT_AS_PDF' configuration constant that includes a command separator followed by a base64-encoded reverse shell command. Once the payload is set, go to 'Commerce' -> 'New Proposal', select an ODT template, and generate the document. The injected command will be executed, establishing a reverse shell connection to the attacker's machine.

Remediation

Users are advised to update Dolibarr to version 23.0.0 or later, where this vulnerability has been fixed.