Dolibarr ERP CRM Online Signature Module Authentication Bypass Vulnerability

An authentication bypass vulnerability has been identified in Dolibarr ERP CRM versions prior to 23.0.2. The issue resides in the Online Signature Module, specifically within the 'dol_verifyHash' function of 'htdocs/core/lib/security.lib.php'. This vulnerability allows remote attackers to improperly verify cryptographic signatures, enabling them to forge digital signatures on documents such as proposals and contracts. The vulnerability is exploitable under certain conditions, including an empty or misconfigured security token and the use of 'password_hash' as the main security hash algorithm.

Impact

Exploitation of this vulnerability allows unauthenticated remote attackers to bypass signature verification, potentially leading to unauthorized digital signatures on important documents within the Dolibarr ERP CRM system.

Reproduction

To reproduce this vulnerability, ensure that the Dolibarr instance has 'MAIN_SECURITY_HASH_ALGO' set to 'password_hash' and that the 'PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN' is empty or misconfigured. Once these conditions are met, a forged security token can be created by generating a bcrypt hash of a predictable string composed of the document type, reference, and entity ID. This forged token can then be used to bypass the signature verification process.

Remediation

Users are advised to ensure that the 'PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN' is properly configured and not empty. Additionally, consider reviewing the implementation of the 'dol_verifyHash' function to prevent bypassing signature validations.