oss-sec mailing list archives

Re: Dolibarr ERP & CRM - Multiple Issues

From: Brandon Perry <bperry.volatile () gmail com>
Date: Wed, 17 May 2017 16:21:42 -0500

On May 17, 2017, at 3:08 PM, Stefan Pietsch <stefan.pietsch () foxmole com> wrote:

On 10.05.2017 10:28, FOXMOLE Advisories wrote:

=== FOXMOLE - Security Advisory 2017-02-23 ===

Dolibarr ERP & CRM  - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Versions
=================
Dolibarr 4.0.4

Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting,
                   Weak Hash Algorithm without Salt, Weak Password Change Method
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: Dolibarr
Vendor URL: https://www.dolibarr.org/
Credits: FOXMOLE employees Tim Herres and Stefan Pietsch
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-02-23.txt
Advisory Status: Public
OVE-ID: OVE-20170223-0001
CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888
CVE URL: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7886
        https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7887
        https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7888
CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


--- snip ---

Here is a small update to our security advisory.

An additional CVE ID got assigned for the password change finding:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879>


Meanwhile the Dolibarr developers fixed more possible SQL injection bugs
in this git commit:
https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06 
<https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06>

They still didn't release a fixed version of the Dolibarr software.



For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST.
They rated "Confidentiality Impact" as partial while I think it is
complete as we have full access to all tables.


But you don’t have access to the underlying system, such as configuration files with plaintext passwords or similar. 
Only in a poorly configured MySQL instance would you be able to read files in the first place. I agree that the 
Confidentiality Impact is partial.


Regards,
Stefan

Attachment: signature.asc
Description: Message signed with OpenPGP

Current thread:

Dolibarr ERP & CRM - Multiple Issues FOXMOLE Advisories (May 10)
- Re: Dolibarr ERP & CRM - Multiple Issues Stefan Pietsch (May 17)
  - Re: Dolibarr ERP & CRM - Multiple Issues Brandon Perry (May 17)