{"id":2693,"date":"2023-03-13T13:37:09","date_gmt":"2023-03-13T12:37:09","guid":{"rendered":"https:\/\/www.dsecbypass.com\/?p=2693"},"modified":"2024-02-07T10:18:41","modified_gmt":"2024-02-07T09:18:41","slug":"dolibarr-pre-auth-contact-database-dump","status":"publish","type":"post","link":"https:\/\/www.dsecbypass.com\/en\/dolibarr-pre-auth-contact-database-dump\/","title":{"rendered":"Dolibarr : unauthenticated contacts database theft"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.17.3″ _module_preset=”default” custom_padding=”0px||||false|false” global_colors_info=”{}”][et_pb_row _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.3″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.dsecbypass.com\/wp-content\/uploads\/2023\/02\/dolibarr_logo-300×150.png” alt=”Dolibarr logo ” title_text=”dolibarr logo” align=”center” _builder_version=”4.20.0″ _module_preset=”default” background_color=”RGBA(255,255,255,0)” width=”50%” module_alignment=”center” global_colors_info=”{}”][\/et_pb_image][et_pb_text _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Vladimir had the opportunity to test the security of the Open Source CRM software Dolibarr<\/a> during an intrusion test<\/a> of a business tool.<\/p>\n

\n

Dolibarr ERP CRM is a modern software package to manage your company or foundation’s activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, …). It is open source software (written in PHP) and designed for small and medium businesses, foundations and freelancers. <\/span><\/p>\n

Ref: https:\/\/github.com\/Dolibarr\/dolibarr
<\/span><\/p>\n<\/blockquote>\n

Our pentester discovered a critical vulnerability<\/strong> exploitable by an unauthenticated attacker<\/strong>. It provides access to a competitor’s entire customer file,<\/strong> prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions<\/strong>.<\/p>\n

EDIT (22\/03\/2023)<\/strong> : Dolibarr version 16.0.5 fixes this vulnerability for v16. (https:\/\/github.com\/Dolibarr\/dolibarr\/blob\/16.0.5\/ChangeLog#L34<\/a>).<\/p>\n

EDIT2 (13\/06\/2023)<\/strong> : CVE-2023-33568 assigned.
<\/strong><\/p>\n

[\/et_pb_text][et_pb_text module_id=”sauvegarder” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Discovery of the vulnerability<\/h2>\n

In order to perform tests on the software itself without impacting the client’s production, and having access to as much information as possible, the consultant created a local Dolibarr environment in the identified version.<\/p>\n

The containerized image https:\/\/hub.docker.com\/r\/tuxgasy\/dolibarr<\/a> allows one to have a functional environment in minutes with Docker to start hunting for vulnerabilities. The tuxgasy\/dolibarr:16<\/code> image was used to discover this vulnerability.<\/p>\n

Without necessarily trying to delve too much into the details of the Dolibarr code base, the auditor simply listed all the PHP files accessible from the root of the web server in order to identify those which are accessible without authentication:<\/p>\n

\n

find . -type f -name “*.php”<\/strong><\/p>\n<\/blockquote>\n

One of the scripts thus accessible attracts attention because its response differs from the others:https:\/\/github.com\/Dolibarr\/dolibarr\/blob\/16.0.4\/htdocs\/public\/ticket\/ajax\/ajax.php<\/a>.<\/p>\n

Reading the PHP code instructs us on the required parameters: action<\/em><\/strong> and email<\/em><\/strong>.<\/p>\n

In particular, action<\/em><\/strong> must be equal to “getContacts<\/strong><\/span>“.<\/p>\n

When all conditions are met, the following response is returned to the unauthenticated user:
<\/span>\"DolibarrDolibarr integrates some protections and checks that the variables sent by users do not contain suspicious patterns (XSS, SQL injections):<\/p>\n

\"Dolibarr<\/p>\n

If the parameters have been protected in this way, the injections are therefore generally more complex to exploit.<\/p>\n

We are therefore currently in the presence of unauthenticated access to the details of a contact, provided that the attacker knows the email address associated with it.<\/p>\n

Digging deeper into the PHP code, the pentester lands on the SQL query called:<\/p>\n

\"SQL<\/p>\n

We can observe the use of the SQL LIKE operator: with a bit of luck the ‘%<\/strong>‘ character can be used to transform the query and make it return all the records!<\/p>\n

\"Dolibarr<\/p>\n

All contact details are returned in a single request.<\/p>\n

A sorting on a few fields demonstrates the interest of this vulnerability:<\/p>\n

\"Dolibarr<\/p>\n

An attacker could access a competitor’s entire customer file<\/strong>, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved.<\/p>\n

Attacker can get other information such as technical data about the database:<\/p>\n

\"Dolibarr<\/p>\n

<\/span><\/span><\/p>\n

[\/et_pb_text][et_pb_text module_id=”virus” _builder_version=”4.23.2″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Impact & PoC<\/h2>\n

Dolibarr 16.x versions are affected. Version 17 disables access to this page by default, a specific Dolibarr option must be set for it to be accessible again.<\/p>\n

The estimated CVSSv3 score is 7.5 (https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator?vector=AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N&version=3.1<\/a>), however the nature of the data and the ease of exploitation make it a critical vulnerability<\/strong>.<\/p>\n

Linux command to reproduce the vulnerability and display some arbitrary fields:<\/p>\n

\n

curl -sk ‘[URI_DOLIBARR]\/public\/ticket\/ajax\/ajax.php?action=getContacts&email=%’ | jq -r ‘.contacts[] | {id, socname, poste, email, phone_perso, phone_pro, note_public, note_private}’<\/strong><\/p>\n<\/blockquote>\n

[\/et_pb_text][et_pb_text module_id=”mobiles” _builder_version=”4.20.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Recommendations<\/h2>\n

Business tools as important as an ERP\/CRM must be properly secured:<\/p>\n