Used by millions of users worldwide, the Dolibarr ERP CRM has become a major integrated solution in the Open Source world. Its user and developer community is growing (source).
Depended on by both large-scale corporations and individual freelancers, Dolibarr ERP CRM supports human resources, marketing, finance and other groups by offering an array of useful modules – everything from sales management to project management capabilities is covered by this software.
Bishop Fox researcher Priyank Nigam recently found three critical vulnerabilities (see technical advisory for more information) in version 9.01 of this open source software. We contacted Dolibarr immediately and partnered together in the responsible disclosure process. As of this publication, all issues have been remediated.
The issues we identified in Dolibarr are not unique – open source software is especially susceptible to vulnerabilities. IT managers and developers need to avoid falling prey to a fallacy about open source: that it’s more secure because there are more eyes on the code because it’s freely available for examination.
This is not always the case, though. In reality, it’s likely much of the code is outdated, or the project behind it, regardless of how popular it may be, could be run by a few otherwise busy people on their spare time.
Open source libraries and third-party code are integral parts of our modern environment, and vigilance about the security of both is paramount to the safety and the privacy of people who use the internet.
Bishop Fox identified two instances of remote code execution and one instance of stored cross-site scripting in the Dolibarr application. For a quick TLDR, here’s what that means in broken-down terms.
The Dolibarr ERP/CRM application backs up its database content to a dump file, but the application performs insufficient checks on the export parameters mysqldump. This can lead to the execution of arbitrary code on the server. It’s then possible to upload malicious code by abusing the application’s other functionalities.
Once the code is executed – and dependent on the server’s configuration – an attacker can escalate privileges to the root user. From this point, an attacker can gain access to the domain admin account – and gain visibility into the entire network.
The other instance is found within the module of the application that allows for the creation of public websites with a WYSIWG editor. The editor also allows inclusion of dynamic code, which can lead to code execution on a host machine.
An attacker simply checks a setting on the same page; this then specifies the inclusion of dynamic content. This allows a lower privileged user to execute code under the underlying web server’s context and permissions.
Dolibarr released a fix in the latest version of their ERP/CRM 9.0.3; please update your software ASAP.