| タイトル | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Issues |
|---|
| 説明 | Reported to vendor ([email protected]) on April 10, 2026.Description:
Critical Authentication Bypass via Cryptographic Downgrade
A high-impact authentication bypass vulnerability exists in Dolibarr ERP/CRM within the "Online Signature" module (newonlinesign.php and ajax/onlineSign.php).
The vulnerability is caused by a logic flaw in the dol_verifyHash function located in htdocs/core/lib/security.lib.php. The function improperly implements a cryptographic fallback mechanism that automatically downgrades to the legacy MD5 algorithm if the provided hash length is 32 characters.
In environments where the *_ONLINE_SIGNATURE_SECURITY_TOKEN (e.g., PROPOSAL_ONLINE_SIGNATURE_SECURITY_TOKEN) is not explicitly configured, the hashing seed remains an empty string. By exploiting this, an unauthenticated remote attacker can pre-calculate a valid MD5 hash based solely on predictable metadata (document type and reference).
By providing this forged 32-character MD5 hash as the securekey parameter, the attacker can successfully bypass all authentication checks.
Impact:
An unauthenticated attacker can gain full access to sensitive documents, including business proposals, contracts, and intervention reports. Furthermore, the attacker can forge, submit, or decline online signatures, compromising the integrity of the ERP’s legal and financial workflows.
Vulnerability Type: CWE-347 (Improper Verification of Cryptographic Signature) / CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). |
|---|
| ソース | ⚠️ https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158 |
|---|
| ユーザー | yan1451 (UID 94854) |
|---|
| 送信 | 2026年04月10日 07:22 (2 月 ago) |
|---|
| モデレーション | 2026年05月02日 18:27 (22 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 360859 [Dolibarr ERP CRM 迄 23.0.2 Online Signature security.lib.php dol_verifyHash 弱い認証] |
|---|
| ポイント | 20 |
|---|