Source: disclosure@vulncheck.com
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
Dolibarr ERP/CRM 10.0.1 is vulnerable to multiple SQL injection attacks, allowing authenticated attackers to compromise the database. Successful exploitation enables attackers to extract sensitive data, potentially leading to a full system compromise and data breaches, impacting business operations and customer trust.
Step 1: Authentication: The attacker must first authenticate to the Dolibarr ERP/CRM system, leveraging valid credentials or previously compromised accounts.
Step 2: Parameter Identification: The attacker identifies the vulnerable card.php endpoint and the susceptible POST parameters: actioncode, demand_reason_id, and availability_id.
Step 3: Payload Insertion: The attacker crafts a malicious SQL payload designed to extract sensitive information. This payload is injected into one or more of the identified POST parameters.
Step 4: Payload Delivery: The attacker submits a crafted HTTP POST request to the card.php endpoint containing the malicious SQL payload.
Step 5: Query Execution: The vulnerable application constructs and executes the SQL query, incorporating the attacker's payload.
Step 6: Data Extraction (Boolean-based Blind): If the application doesn't directly display the results, the attacker uses boolean-based blind SQL injection. The attacker crafts payloads that result in true or false conditions, allowing them to infer database information based on the application's response (e.g., page load time or error messages).
Step 7: Data Extraction (Error-based): The attacker crafts payloads that trigger database errors, revealing information about the database structure and data. This is used if the application displays error messages.
Step 8: Data Extraction (Time-based Blind): The attacker crafts payloads that cause the database to delay its response based on the injected SQL code. This allows the attacker to infer information about the database by measuring the response time.
Step 9: Data Exfiltration: The attacker systematically extracts sensitive data, such as usernames, passwords, customer information, and financial records, based on the chosen SQL injection technique.
The vulnerability stems from insufficient input validation and sanitization of user-supplied data within the card.php endpoint. Specifically, the application fails to properly sanitize POST parameters such as actioncode, demand_reason_id, and availability_id before incorporating them into SQL queries. This allows attackers to inject malicious SQL code, manipulating the queries to extract, modify, or delete data from the database. The root cause is a lack of parameterized queries or prepared statements, which would have prevented the injection of malicious SQL code. The application relies on string concatenation to build SQL queries, making it susceptible to SQL injection. The use of boolean-based blind, error-based, and time-based blind techniques indicates the application's inability to directly display the results of the injected SQL code, requiring attackers to infer the database structure and data through indirect methods.
While no specific APT groups are definitively linked to this CVE, SQL injection is a common attack vector used by various threat actors, including financially motivated groups and state-sponsored actors. The potential for data exfiltration makes this a high-value target. CISA KEV status: Not listed.
Web application firewall (WAF) logs showing suspicious SQL syntax in POST parameters to card.php.
Database server logs revealing unusual query patterns, such as excessive query times or error messages related to SQL syntax.
Network traffic analysis identifying POST requests to card.php with potentially malicious payloads in the actioncode, demand_reason_id, or availability_id parameters.
Intrusion Detection System (IDS) alerts triggered by SQL injection signatures.
Reviewing web server access logs for unusual activity, such as repeated requests to card.php with different payloads.
Upgrade to a patched version of Dolibarr ERP/CRM (version 10.0.2 or later).
Implement parameterized queries or prepared statements to prevent SQL injection vulnerabilities.
Thoroughly validate and sanitize all user-supplied input, especially POST parameters, before incorporating them into SQL queries.
Implement a web application firewall (WAF) to filter malicious requests.
Regularly scan the application for vulnerabilities using static and dynamic analysis tools.
Enforce the principle of least privilege for database users.
Monitor database activity for suspicious patterns.
Implement strong password policies and multi-factor authentication (MFA) for all user accounts.