Dolibarr ERP/CRM Arbitrary Code Execution Vulnerability

A vulnerability allowing remote code execution has been identified in Dolibarr ERP/CRM versions 22.0.0 through 22.0.4, as well as in version 24.0.0-alpha under certain conditions. The issue arises from the 'dol_eval()' function, which is a wrapper around PHP's 'eval()' and is used to evaluate dynamic expressions throughout the application. In the affected versions, an administrator can inject PHP code into specific database fields, which is then executed when the application processes those fields. This vulnerability can be exploited by chaining it with another vulnerability in the same application that allows execution of operating system commands.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution, which can lead to executing commands on the server's operating system, especially if the web server has root privileges.

Reproduction

The vulnerability can be reproduced by first injecting a PHP payload into the 'llx_extrafields.fieldcomputed' or 'llx_extrafields.perms' database fields. This can be done through the Dolibarr admin interface or by direct SQL injection. Once the payload is stored, it will be executed automatically during the processing of business objects, such as invoices or contacts, depending on where the payload was injected. The execution can be confirmed by observing the output of the injected PHP code in the application's response.

Remediation

To address this vulnerability, Dolibarr should replace the 'dol_eval()' function with a safer, purpose-built expression evaluator that does not use PHP's 'eval()'. Additionally, the application should implement a strict allowlist for method names in scheduled jobs to prevent unauthorized command execution.