dolibarr-bugtrack
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Dolibarr-bugtrack] [Bug #1581] SQL injection possbile

From: Doliforge
Subject: [Dolibarr-bugtrack] [Bug #1581] SQL injection possbile
Date: Tue, 26 Aug 2014 16:07:16 +0200
Doliforge
Ce message ne s'affiche pas correctement?
mettez à jour vos préférences utilisateur.
Dolibarr ERP & CRM » Bugs » bug #1581

SQL injection possbile

État

 Détails
Last Modified On:  26/08/2014 16:07 Submitted by:  HENRY Florian (fhenry)
Submitted on:  26/08/2014 16:07 
Summary:  SQL injection possbile
Description:  ulnerability Title:
Dolibarr ERP&CPM 3.5.3 - Multiple SQL Injections

Affected systems:
Dolibarr ERP&CPM 3.5.3

Description:
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database.

Details:
The following URL and parameters have been confirmed to suffer from various forms of SQL injections.

GET:

http://[IP]/dolibarr/product/stock/fiche.php?action=""> Injection> http://[IP]/dolibarr/product/stock/liste.php?sref=55<SQL Injection>&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55
address@hidden&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55<SQL" target="_blank" target="_new">http://[IP]/dolibarr/product/stock/liste.php?sref=address@hidden&token=142abe4c1c4b84c3d0c81533c3840cc4&sall=55<SQL Injection> http://[IP]/dolibarr/projet/element.php?ref=PJ1407<SQL Injection> http://[IP]/dolibarr/projet/tasks/index.php?search_project=5<SQL Injection>bqve&button_search.x=1&button_search.y=1&mode=
http://[IP]/dolibarr/compta/prelevement/demandes.php?search_societe=5<SQL Injection>&search_facture=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/comm/mailing/liste.php?sref=5<SQL Injection>&sall=5&x=1&y=1 http://[IP]/dolibarr/comm/mailing/liste.php?sref=5&sall=5<SQL Injection>&x=1&y=1 http://[IP]/dolibarr/compta/sociales/index.php?search_label=5<SQL Injection>&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/paiement/cheque/liste.php?sortfield=bc.number<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/compta/paiement/cheque/liste.php?sortfield=bc.number&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/compta/prelevement/rejets.php?sortfield=p.ref<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/compta/prelevement/rejets.php?sortfield=p.ref&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=<SQL Injection>&tobuy=&type=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=&tobuy=<SQL Injection>&type=& http://[IP]/dolibarr/product/reassort.php?toolowstock=on&snom=5&sortorder=ASC&sref=5&token=d638ca7f80a7ad68e2cf327a75f954a6&button_search.x=1&button_search.y=1&type=&search_categ=4<SQL Injection>&sortfield=stock_physique
http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=1<SQL Injection>&tobuy=&type=& http://[IP]/dolibarr/product/liste.php?sortfield=p.ref&sortorder=asc&begin=&sref=&snom=&sall=&tosell=1&tobuy=<SQL Injection>&type=& http://[IP]/dolibarr/product/stats/commande_fournisseur.php?sortfield=c.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/commande_fournisseur.php?sortfield=c.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/contrat.php?sortfield=c.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/contrat.php?sortfield=c.rowid'&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/facture_fournisseur.php?sortfield=s.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/facture_fournisseur.php?sortfield=s.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/propal.php?sortfield=p.rowid<SQL Injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/propal.php?sortfield=p.rowid&sortorder=asc<SQL Injection>&begin=&id=2 http://[IP]/dolibarr/product/stock/fiche.php?id=0<SQL Injection> http://[IP]/dolibarr/product/stock/info.php?id=0<SQL Injection> http://[IP]/dolibarr/product/stock/liste.phpsortfield=e.label&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/stock/liste.php?sortfield=e.label<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/product/reassort.php?toolowstock=on&snom=5&sortorder=ASC&sref=5<SQL Injection>&token=d638ca7f80a7ad68e2cf327a75f954a6&button_search.x=1&button_search.y=1&type=&search_categ=4&sortfield=stock_physique
http://[IP]/dolibarr/product/stock/massstockmove.php?productid=1<SQL Injection>&token=9d491e55462571d39390bd136f4f50da&id_tw=-1&action="" /> http://[IP]/dolibarr/product/stock/replenishorders.php?sortfield=cf.ref&sortorder=asc<SQL Injection>&begin=& http://[IP]/dolibarr/product/stock/replenishorders.php?sortfield=cf.ref<SQL Injection>&sortorder=asc&begin=& http://[IP]/dolibarr/projet/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/projet/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/projet/tasks/contact.php?id=1&action=""> Injection> http://[IP]/dolibarr/compta/recap-compta.php?socid=1<SQL Injection> http://[IP]/dolibarr/holiday/index.php?mainmenu=holiday&id=1<SQL Injection> http://[IP]/dolibarr/projet/tasks/contact.php?id=2&source=internal&token=acff06ed1720e3ec66a16918dcee2bfd&action=""> Injection>&withproject=1 http://[IP]/dolibarr/product/stock/fiche.php?id=1<SQL Injection> http://[IP]/dolibarr/projet/contact.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/projet/ganttview.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/product/stock/fiche.php?id=1<SQL Injection> http://[IP]/dolibarr/projet/note.php?ref=PJ1407-0002<SQL Injection> http://[IP]/dolibarr/projet/tasks/contact.php?project_ref=PJ1407-0002<SQL Injection>&withproject=1 http://[IP]/dolibarr/projet/tasks.php?ref=PJ1407-0002<SQL Injection>&mode=mine http://[IP]/dolibarr/projet/tasks/note.php?project_ref=PJ1407-0002<SQL Injection>&withproject=1 http://[IP]/dolibarr/contact/info.php?id=2<SQL Injection>&optioncss=print http://[IP]/dolibarr/societe/commerciaux.php?socid=117260852<SQL Injection>&optioncss=print http://[IP]/dolibarr/compta/dons/liste.php?statut=2<SQL Injection> http://[IP]/dolibarr/societe/rib.php?socid=1<SQL Injection>&optioncss=print http://[IP]/dolibarr/adherents/liste.php?leftmenu=members&statut=1<SQL Injection>&filter=outofdate&idmenu=9431&mainmenu=members
http://[IP]/dolibarr/product/reassort.php?sortfield=p.ref&sortorder=asc&begin=&tosell=43<SQL injection>&tobuy=&type=0&fourn_id=&snom=&sref=&
http://[IP]/dolibarr/product/reassort.php?sortfield=p.ref&sortorder=asc&begin=&tosell=&tobuy=3<SQL injection>&type=0&fourn_id=&snom=&sref=&
http://[IP]/dolhttp://[IP]/dolibarr/product/index.php?leftmenu=product&type=0<SQL injection>&idmenu=2819&mainmenu=products
http://[IP]/dolibarr/product/stats/facture.php?sortfield=s.rowid<SQL injection>&sortorder=asc&begin=&id=2
http://[IP]/dolibarr/product/stats/facture.php?sortfield=s.rowid&sortorder=asc<SQL injection>&begin=&id=2 http://[IP]/dolibarr/user/index.php?sortfield=u.login&sortorder=asc&begin=search_user=&sall=&search_statut=<SQL injection>& http://[IP]/dolibarr/compta/bank/fiche.php?id=<SQL Injection> http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5<SQL injection>&search_societe=5&search_ligne=5&search_bon=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5<SQL injection>&search_ligne=5&search_bon=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5&search_ligne=5<SQL injection>&search_bon=5&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/liste.php?search_code=5&search_societe=5&search_ligne=5&search_bon=5<SQL injection>&button_search.x=1&button_search.y=1
http://[IP]/dolibarr/compta/prelevement/bons.php?sortfield=p.ref&sortorder=asc<SQL injection>&begin=& http://[IP]/dolibarr/compta/prelevement/bons.php?sortfield=p.ref<SQL injection>&sortorder=asc&begin=& http://[IP]/dolibarr/product/stats/commande.php?sortfield=c.rowid&sortorder=asc<SQL injection>&begin=&id=2 http://[IP]/dolibarr/product/stats/commande.php?sortfield=c.rowid<SQL injection>&sortorder=asc&begin=&id=2
POST:

POST /dolibarr/product/liste.php HTTP/1.1
Host: 192.168.56.103
[...]
Cookie: DOLSESSID_bca8ba010461ef1336d17dcd7836c25c=29mufjtdcngabkspms4169dkr3

snom=address@hidden&sortorder=ASC07356377&sref=address@hidden&token=fbb496299c4898552cde8e500a4ca985&tosell=0<SQL injection>&action="" />
Impact:
An attacker would be able to exfiltrate the database, user credentials and in certain setup access the underling operating system.
___

If you have any questions, feel free to let me know.
Please be aware we ask that vendors keep us updated on their progress during our coordination prior to disclosure.

Kind regards,

Arron Dowdeswell
Portcullis Advisories
<address@hidden>
PGP Key ID: 0xF6406A85
Step to reproduce bug:  
Detected in version:  3.6.0 Category:  Security
Severity:  8 OS Type/Version:  
PHP version:   Database type and version:  
 Etat
Status:  Open Assigned to:  Aucun
Resolution:  Aucun 

Répondre


reply via email to
[Prev in Thread] Current Thread [Next in Thread]