Compliance Impact

This vulnerability allows authenticated administrators to execute arbitrary PHP code on the server, leading to complete system compromise including database credential disclosure, system file access, and exposure of application secrets.

Such a compromise can result in unauthorized access to sensitive personal data, violating confidentiality and integrity requirements mandated by standards like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to potential data breaches and failure to protect sensitive information.

Useful 0 Not Useful 0

Executive Summary

Dolibarr ERP/CRM versions up to and including 22.0.2 contain an authenticated remote code execution vulnerability in the user extrafields functionality.

The issue arises because user-controlled input from the "computed value" field is passed to PHP's eval() function without proper sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server.

An attacker with a valid administrator account can create a malicious extrafield with a payload in the computed value field, then trigger execution by viewing a user creation page, leading to complete system compromise.

The root cause is the use of eval() combined with insufficient input validation and a blacklist approach to filtering, which can be bypassed.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can result in database credential disclosure, system file access, application secret exposure, file system enumeration, and even the creation of persistent webshells.

The technical impact is severe, with high confidentiality, integrity, and availability risks.

The attack chain breaks the security boundary between the web application and system-level access, potentially leading to complete system compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious extrafields created by authenticated administrators in the Dolibarr ERP/CRM system, specifically in the "computed value" field of user extrafields. Since exploitation requires an authenticated administrator to inject PHP code into this field, monitoring changes or additions to extrafields with suspicious or complex PHP code is key.

There are no specific network detection commands provided, but system administrators can audit the database entries related to user extrafields for suspicious PHP code patterns, especially those containing eval() or unusual characters like < and [ which are used to bypass filtering.

Additionally, reviewing web server logs for unusual access patterns to user creation pages or extrafield modification endpoints by administrator accounts may help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting administrator access to trusted personnel only, as exploitation requires authenticated administrator privileges.

Since no patched versions are available as of the publication date, it is recommended to disable or restrict the use of the user extrafields functionality, especially the "computed value" field, to prevent injection of malicious PHP code.

Monitoring and auditing administrator actions related to extrafields creation or modification is critical to detect and prevent exploitation.

Consider implementing additional application-level input validation or web application firewall (WAF) rules to block suspicious payloads targeting the computed value field.

Useful 0 Not Useful 0