Dolibarr logo

Vladimir had the opportunity to test the security of the Open Source CRM software Dolibarr during an intrusion test of a business tool.

Dolibarr ERP CRM is a modern software package to manage your company or foundation’s activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, …). It is open source software (written in PHP) and designed for small and medium businesses, foundations and freelancers.

Ref: https://github.com/Dolibarr/dolibarr

Our pentester discovered a critical vulnerability exploitable by an unauthenticated attacker. It provides access to a competitor’s entire customer file, prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions.

EDIT (22/03/2023) : Dolibarr version 16.0.5 fixes this vulnerability for v16. (https://github.com/Dolibarr/dolibarr/blob/16.0.5/ChangeLog#L34).

EDIT2 (13/06/2023) : CVE-2023-33568 assigned.

Discovery of the vulnerability

In order to perform tests on the software itself without impacting the client’s production, and having access to as much information as possible, the consultant created a local Dolibarr environment in the identified version.

The containerized image https://hub.docker.com/r/tuxgasy/dolibarr allows one to have a functional environment in minutes with Docker to start hunting for vulnerabilities. The tuxgasy/dolibarr:16 image was used to discover this vulnerability.

Without necessarily trying to delve too much into the details of the Dolibarr code base, the auditor simply listed all the PHP files accessible from the root of the web server in order to identify those which are accessible without authentication:

find . -type f -name “*.php”

One of the scripts thus accessible attracts attention because its response differs from the others:https://github.com/Dolibarr/dolibarr/blob/16.0.4/htdocs/public/ticket/ajax/ajax.php.

Reading the PHP code instructs us on the required parameters: action and email.

In particular, action must be equal to “getContacts“.

When all conditions are met, the following response is returned to the unauthenticated user:
Dolibarr ticket ajaxDolibarr integrates some protections and checks that the variables sent by users do not contain suspicious patterns (XSS, SQL injections):

Dolibarr WAF example

If the parameters have been protected in this way, the injections are therefore generally more complex to exploit.

We are therefore currently in the presence of unauthenticated access to the details of a contact, provided that the attacker knows the email address associated with it.

Digging deeper into the PHP code, the pentester lands on the SQL query called:

SQL query getContacts Dolibarr

We can observe the use of the SQL LIKE operator: with a bit of luck the ‘%‘ character can be used to transform the query and make it return all the records!

Dolibarr unauthenticated contact database dump

All contact details are returned in a single request.

A sorting on a few fields demonstrates the interest of this vulnerability:

Dolibarr vulnerability contacts details

An attacker could access a competitor’s entire customer file, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved.

Attacker can get other information such as technical data about the database:

Dolibarr vulnerability database information

Impact & PoC

Dolibarr 16.x versions are affected. Version 17 disables access to this page by default, a specific Dolibarr option must be set for it to be accessible again.

The estimated CVSSv3 score is 7.5 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1), however the nature of the data and the ease of exploitation make it a critical vulnerability.

Linux command to reproduce the vulnerability and display some arbitrary fields:

curl -sk ‘[URI_DOLIBARR]/public/ticket/ajax/ajax.php?action=getContacts&email=%’ | jq -r ‘.contacts[] | {id, socname, poste, email, phone_perso, phone_pro, note_public, note_private}’

Recommendations

Business tools as important as an ERP/CRM must be properly secured:

  • Open access to the Internet only if strictly necessary (prefer VPN access)
  • Only use the plugins useful for your use cases
  • Perform regular account reviews
  • Keep the various software components up to date
  • Ensure that your access policy is correctly implemented (password complexity, 2FA, …)
  • Implement, and maintain, a policy of least privilege
  • Perform regular penetration testing (regardless of application exposure)

Many Dolibarr instances are exposed on the Internet: for those which are in version 16.x remember to upgrade quickly!

Communication with the software publisher

Dolibarr’s Coordinated Disclosure Process is documented at the following URL: https://github.com/Dolibarr/dolibarr/security/policy.

The firs answer was (very) fast. On the other hand, the Dolibarr ecosystem could gain in security by communicating in a clear and precise manner on the vulnerabilities discovered and fixed in a centralized place, such as the Github “Security Advisories”.

21/02/2023 : First email sent by Vladimir following the Dolibarr process

21/02/2023 : Response from developer Eldy validating the vulnerability and indicating that the feature in question will be disabled with Dolibarr 17

05/03/2023 : Dolibarr v17 released

14/03/2023 : Article published

🛡️ DSecBypass accompanies you on the security audits of your business applications. Do not hesitate to contact us for additional information and/or a personalized quote 📝.