| Название | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection |
|---|
| Описание | Suggested CVSS and CWE:
7.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vulnerability:
The PUT /api/index.php/shipments/{id} endpoint accepts a JSON body where
fk_project is concatenated directly into an UPDATE query without an
integer cast.
The Expedition class has an empty $fields array, so _checkValForAPI()
in api.class.php never hits the integer sanitization branch. It falls
back to sanitizeVal($value, 'alphanohtml'), which strips HTML but
doesn't enforce numeric input. The update() method's clean-parameters
block casts socid, fk_user_author, fk_user_valid, fk_delivery_address,
and shipping_method_id to (int) but skips fk_project. Line 1698 drops
the raw value straight into SQL.
Reproduction:
1. Enable Shipments and API modules
2. Get an API key for a user with shipment write permission
3. Create a shipment (via UI or API)
4. Send:
curl -s -o /dev/null -w "Time: %{time_total}s\n" -X PUT \
'http://TARGET/api/index.php/shipments/{id}' \
-H 'DOLAPIKEY: {token}' \
-H 'Content-Type: application/json' \
-d '{"fk_project": "0 OR SLEEP(5)"}'
Baseline response: <1s. With payload: ~5s, i.e. we've got blind time based SQLi.
Validated with sqlmap, which pulled the DB user (dolidbuser@%)
and database name (dolidb) through time-based extraction.
An authenticated API user can read the full database contents
including password hashes from llx_user.
Remediation:
Add (int) cast for fk_project in the update() clean-parameters
block in htdocs/expedition/class/expedition.class.php. Populate
Expedition::$fields with type definitions so _checkValForAPI() can
enforce integer typing at the API layer.
|
|---|
| Пользователь | chris00 (UID 97188) |
|---|
| Представление | 08.04.2026 04:09 (2 месяцы назад) |
|---|
| Модерация | 02.05.2026 18:27 (25 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 360858 [Dolibarr ERP CRM до 23.0.2 Shipments API Endpoint expedition.class.php _checkValForAPI fields SQL-инъекция] |
|---|
| Баллы | 17 |
|---|