Dolibarr 16.0 - Security breach

ksar · March 16, 2023, 9:47am

Hello,
an important security breach has been fixed in dolibarr 16 but as many people don’t necessarily follow all the updates I prefer to post a message in the hope that you can do the necessary on your installations.

First of all, only version 16 is impacted, version 15 (and before) are not and neither is version 17.

More precisely, it concerns the sub versions 16.0.0 16.0.1 16.0.2 16.0.3 and 16.0.4.

Please replace your htdocs/public/ticket/ajax/ajax.php file with this one:

github.com

Dolibarr/dolibarr/blob/5e49ed17d3ef858dff59cdc458624e3df52dd291/htdocs/public/ticket/ajax/ajax.php

<?php
/**
 * Copyright (C) 2020 Laurent Destailleur <eldy@users.sourceforge.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 */

/**
 *	\file       htdocs/public/ticket/ajax/ajax.php

This file has been truncated. show original

Description of the vulnerability and thanks to him: Dolibarr : unauthenticated contacts database theft | DSecBypass

To summarize, it is possible to extract your entire dolibarr contact database without even being authenticated…

Best regards,
Erics
(source : Dolibarr 16.0 - Faille de sécurité - Maintenir mon Dolibarr - Forum Dolibarr france)

playcock · March 24, 2023, 2:07pm

@ksar
I know that you have a thread that you update whenever a new Dolibarr version is released. What are your thoughts on creating a similar thread that covers whenever a security risk, such as this, is exposed? I would certainly subscribe to that thread.

ksar · March 24, 2023, 7:58pm

Hello @playcock,

Large topic…
Currently, we have :

Github with CVE label
Official CVE repository
Security Advisories · Dolibarr/dolibarr · GitHub (But not populated for now)

Currently, @eldy and Dolibarr association is looking at how to better report/communicate on CVE.

I will keep you informed.

eldy · March 29, 2023, 11:28am

Currently the best solution seems to be an issue with the “CVE label”.