Dolibarr security : Without install.lock file, Dolibarr is vunerable

Hello all,

To all integrators, developers (or even self-hosted installation users) who have Dolibarr accessible from the internet, be sure to put/create an install.lock file in your document folder. (Where is this folder ? during installation you chose it, if not look in your conf/conf.php file)

An exploitation, documented on specialized sites, allows admin account creation and then code execution on your server. This exploitation has already been reported on some Dolibarr “badly” installed.
Code execution => the hacker will be able to do what he wants on your server, encrypt it, recover your database, spam, you have your online store or your website on the same server, the same…, in short all that can be done with a server on the Internet

This is not a direct security vulnerability of Dolibarr, because it is a good practice and Dolibarr tell you when you did not do it (on the home page).
If you leave the keys on the door when you are told not to do it…

Thanks to @FHenry that reported today the exploitation of “weak” Dolibarr’s

Why not modify the install script to create the file by itself on the first installation? I think it won’t be too hard.

Hello,

There is a global constant for that : MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE
But not activated by default.

Ongoing corrective PR are proposed :

1. fix: always display security warning on home page by FHenry · Pull Request #22858 · Dolibarr/dolibarr · GitHub
2. FIX: base64_decode shloud be forbiden in dol_eval by FHenry · Pull Request #22863 · Dolibarr/dolibarr · GitHub
3. FIX SECURITY don't create an admin if an admin already exists by hregis · Pull Request #22862 · Dolibarr/dolibarr · GitHub

Hello,

Dolibarr V16.0.3 integrate some Security FIX that prevent current attack to work.
But, without install.lock, your installation is vulnerable, at least to new admin creation.

Any one know the release date fo 17 today is the 31st of January.