Dolibarr ERP/CRM Arbitrary Code Execution Vulnerability via Extrafields

A vulnerability allowing remote code execution has been identified in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4, as well as in version 24.0.0-alpha under certain conditions. The issue arises from the use of the 'dol_eval()' function, which is a wrapper around PHP's 'eval()' that evaluates dynamic expressions. This vulnerability is present in the 'htdocs/core/actions_addupdatedelete.inc.php' file, where user-controlled input can be injected into the 'perms' attribute of extrafields. An administrator can exploit this by storing a PHP expression in the database, which is then executed when the corresponding business object is updated or fetched.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Dolibarr is running.

Reproduction

To reproduce this vulnerability, an administrator must first inject a PHP payload into the 'llx_extrafields.perms' column of the 'llx_extrafields' table. This can be done through the Dolibarr admin interface or via a direct SQL update. Once the payload is injected, the administrator can trigger its execution by updating an object that references the modified extrafield. The payload will be executed in the context of the PHP application, and if it calls a function like 'system()' or 'exec()', the result will be returned in the HTTP response.

Remediation

The recommended fix is to remove the 'dol_eval()' usage in the 'actions_addupdatedelete.inc.php' file and replace it with a safer, purpose-built expression evaluator that does not rely on 'eval()'. Additionally, an audit of the 'llx_extrafields.perms' and 'llx_extrafields.fieldcomputed' columns for unexpected PHP-like content is advised.