CVE-2014-7137 in Dolibarr
Summary
by MITRE
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4) lineid parameter in a deletecontact action, (5) ligne parameter in a swapstatut action, or (6) ref parameter to projet/contact.php; (7) id parameter to compta/bank/fiche.php, (8) contact/info.php, (9) holiday/index.php, (10) product/stock/fiche.php, (11) product/stock/info.php, or (12) in an edit action to product/stock/fiche.php; (13) productid parameter in an addline action to product/stock/massstockmove.php; (14) project_ref parameter to projet/tasks/note.php; (15) ref parameter to element.php, (16) ganttview.php, (17) note.php, or (18) tasks.php in projet/; (19) sall or (20) sref parameter to comm/mailing/liste.php; (21) search_bon, (22) search_ligne, (23) search_societe, or (24) search_code parameter to compta/prelevement/liste.php; (25) search_label parameter to compta/sociales/index.php; (26) search_project parameter to projet/tasks/index.php; (27) search_societe parameter to compta/prelevement/demandes.php; (28) search_statut parameter to user/index.php; (29) socid parameter to compta/recap-compta.php, (30) societe/commerciaux.php, or (31) societe/rib.php; (32) sortorder, (33) sref, (34) sall, or (35) sortfield parameter to product/stock/liste.php; (36) statut parameter to adherents/liste.php or (37) compta/dons/liste.php; (38) tobuy or (39) tosell parameter to product/liste.php; (40) tobuy, (41) tosell, (42) search_categ, or (43) sref parameter to product/reassort.php; (44) type parameter to product/index.php; or the (a) sortorder or (b) sortfield parameter to (45) compta/paiement/cheque/liste.php, (46) compta/prelevement/bons.php, (47) compta/prelevement/rejets.php, (48) product/stats/commande.php, (49) product/stats/commande_fournisseur.php, (50) product/stats/contrat.php, (51) product/stats/facture.php, (52) product/stats/facture_fournisseur.php, (53) product/stats/propal.php, or (54) product/stock/replenishorders.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/04/2022
The vulnerability described in CVE-2014-7137 represents a critical SQL injection flaw affecting Dolibarr ERP/CRM versions prior to 3.6.1. This vulnerability stems from insufficient input validation and sanitization within multiple endpoints of the application, allowing authenticated attackers to inject malicious SQL commands into the database through various parameter inputs. The flaw exists across numerous modules including contact management, project tracking, financial accounting, product inventory, and user administration components, making it particularly dangerous due to its widespread impact throughout the application's functionality.
The technical exploitation of this vulnerability occurs through multiple vectors, each targeting specific parameters within different PHP scripts. Attackers can manipulate parameters such as contactid, ligne, project_ref, lineid, ref, id, contactid, and various search parameters to inject malicious SQL payloads. These inputs are processed without proper sanitization or parameterization, creating opportunities for attackers to execute arbitrary database commands. The vulnerability aligns with CWE-89, which specifically addresses SQL injection flaws where untrusted data is incorporated into SQL queries without adequate validation or escaping mechanisms. This weakness allows attackers to potentially extract, modify, or delete sensitive data from the underlying database.
The operational impact of this vulnerability is severe, as it enables authenticated attackers to gain unauthorized access to critical business data including customer information, financial records, project details, and user credentials. Attackers could potentially escalate privileges, create backdoors, or perform data exfiltration operations that could compromise the entire organization's data integrity and confidentiality. The vulnerability affects core business processes ranging from customer relationship management to financial accounting and inventory tracking, making it particularly dangerous for enterprise environments where Dolibarr serves as a central business application. Organizations using affected versions face significant risk of data breaches and potential regulatory compliance violations.
Mitigation strategies should include immediate patching to version 3.6.1 or later, which addresses the identified SQL injection vulnerabilities through proper input validation and parameterized query implementation. Additionally, implementing comprehensive input sanitization measures, including the use of prepared statements and parameterized queries, can prevent similar issues in future development. Network segmentation and access controls should be enforced to limit the potential impact of successful exploitation, while regular security audits and penetration testing should be conducted to identify and remediate other potential vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, highlighting the need for proper application hardening and regular security maintenance to prevent unauthorized access and data compromise.