CVE-2018-10092
Description
Dolibarr before 7.0.2 allows authenticated admin to execute arbitrary commands via unsanitized antivirus command settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dolibarr before 7.0.2 allows authenticated admin to execute arbitrary commands via unsanitized antivirus command settings.
Vulnerability
The admin panel in Dolibarr before version 7.0.2 allows an authenticated administrator to update the antivirus command and parameters used to scan file uploads. The input is not sufficiently sanitized, allowing injection of arbitrary OS commands. The vulnerable code in the admin panel updates the MAIN_ANTIVIRUS_COMMAND and MAIN_ANTIVIRUS_PARAM settings without proper validation. [1][4]
Exploitation
An attacker with admin panel access (or an admin tricked into clicking a malicious link) can set the antivirus command or parameters to include shell metacharacters such as |, ;, <, >, &. The attacker then triggers a file upload scan, which executes the injected command. No additional authentication is needed beyond admin privileges. [1]
Impact
Successful exploitation leads to remote code execution on the server under the web server user context. This can result in full compromise of the Dolibarr installation and potentially the underlying system. [1]
Mitigation
The fix was released in Dolibarr version 7.0.2. The commit removes dangerous characters from the antivirus command and parameter inputs. Users should upgrade to 7.0.2 or later. Alternatively, restrict admin panel access to trusted users. [4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dolibarr/dolibarrPackagist | < 7.0.2 | 7.0.2 |
Affected products
1Patches
15d121b2d3ae2FIX CVE-2018-10092
1 file changed · +10 −5
htdocs/admin/security_file.php+10 −5 modified@@ -82,10 +82,15 @@ else if ($action == 'updateform') { + $antivircommand = GETPOST('MAIN_ANTIVIRUS_COMMAND','none'); // Use GETPOST none because we must accept ". Example c:\Progra~1\ClamWin\bin\clamscan.exe + $antivirparam = GETPOST('MAIN_ANTIVIRUS_PARAM','none'); // Use GETPOST none because we must accept ". Example --database="C:\Program Files (x86)\ClamWin\lib" + $antivircommand = dol_string_nospecial($antivircommand, '', array("|", ";", "<", ">", "&")); // Sanitize command + $antivirparam = dol_string_nospecial($antivirparam, '', array("|", ";", "<", ">", "&")); // Sanitize params + $res3=dolibarr_set_const($db, 'MAIN_UPLOAD_DOC',GETPOST('MAIN_UPLOAD_DOC','alpha'),'chaine',0,'',$conf->entity); $res4=dolibarr_set_const($db, "MAIN_UMASK", GETPOST('MAIN_UMASK','alpha'),'chaine',0,'',$conf->entity); - $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim(GETPOST('MAIN_ANTIVIRUS_COMMAND','none')),'chaine',0,'',$conf->entity); // Use GETPOST none because we must accept " - $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim(GETPOST('MAIN_ANTIVIRUS_PARAM','none')),'chaine',0,'',$conf->entity); // Use GETPOST none because we must accept " + $res5=dolibarr_set_const($db, "MAIN_ANTIVIRUS_COMMAND", trim($antivircommand),'chaine',0,'',$conf->entity); + $res6=dolibarr_set_const($db, "MAIN_ANTIVIRUS_PARAM", trim($antivirparam),'chaine',0,'',$conf->entity); if ($res3 && $res4 && $res5 && $res6) setEventMessages($langs->trans("RecordModifiedSuccessfully"), null, 'mesgs'); } @@ -95,10 +100,10 @@ else if ($action == 'delete') { $langs->load("other"); - $file = $conf->admin->dir_temp . '/' . GETPOST('urlfile'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). + $file = $conf->admin->dir_temp . '/' . GETPOST('urlfile','alpha'); // Do not use urldecode here ($_GET and $_REQUEST are already decoded by PHP). $ret=dol_delete_file($file); - if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs'); - else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors'); + if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile','alpha')), null, 'mesgs'); + else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile','alpha')), null, 'errors'); Header('Location: '.$_SERVER["PHP_SELF"]); exit; }
Vulnerability mechanics
Root cause
"Missing input sanitization on antivirus command and parameter configuration values allows arbitrary OS command injection."
Attack vector
An authenticated attacker with admin panel access can set arbitrary values for `MAIN_ANTIVIRUS_COMMAND` and `MAIN_ANTIVIRUS_PARAM` via the `security_file.php` page [ref_id=1]. Although `escapeshellarg()` is used on the command string in `getCliCommand()`, the parameters are not sanitized and can contain shell metacharacters such as semicolons, allowing command injection [ref_id=1]. The injected command executes when any user uploads a file, because `dol_move_uploaded_file()` calls `dolCheckVirus()`, which invokes the antivirus scan [ref_id=1]. The researcher also demonstrated that the CSRF protection (which checks the Referer header) can be bypassed by hosting the exploit page on a subdirectory containing the target server's hostname, enabling a cross-site request forgery attack against an admin [ref_id=1].
Affected code
The vulnerability resides in `htdocs/admin/security_file.php` where the `MAIN_ANTIVIRUS_COMMAND` and `MAIN_ANTIVIRUS_PARAM` configuration values are stored without sanitization [patch_id=1701416]. These values are later used in `antivir.class.php`'s `getCliCommand()` method, which builds a shell command that is passed to PHP's `exec()` function [ref_id=1]. The `dolCheckVirus()` function in `files.lib.php` triggers the antivirus scan on every file upload [ref_id=1].
What the fix does
The patch adds sanitization by calling `dol_string_nospecial()` on both `MAIN_ANTIVIRUS_COMMAND` and `MAIN_ANTIVIRUS_PARAM` before storing them, stripping dangerous shell characters including `|`, `;`, `
Preconditions
- authAttacker must have admin panel access (authenticated as admin)
- networkAttacker must be able to reach the admin/security_file.php endpoint
- configThe MAIN_ANTIVIRUS_COMMAND and MAIN_ANTIVIRUS_PARAM configuration values must be writable via the web interface (default behavior)
- inputA file upload must occur to trigger the injected command
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6j62-m2vv-wc3mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10092ghsaADVISORY
- www.openwall.com/lists/oss-security/2018/05/21/2ghsamailing-listx_refsource_MLISTWEB
- github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLogghsax_refsource_CONFIRMWEB
- github.com/Dolibarr/dolibarr/commit/5d121b2d3ae2a95abebc9dc31e4782cbc61a1f39ghsax_refsource_CONFIRMWEB
- sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerabilityghsaWEB
- sysdream.com/news/lab/2018-05-21-cve-2018-10092-dolibarr-admin-panel-authenticated-remote-code-execution-rce-vulnerability/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.