Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php

Vulnerability

Dolibarr ERP CRM version 7.0.3 and earlier contain a remote code evaluation vulnerability in the installation script install/step1.php. The db_name POST parameter is not properly sanitized, allowing an attacker to inject arbitrary PHP code. This code is then written into the configuration file and can be executed via the install/check.php endpoint using the cmd GET parameter [3][4].

Exploitation

An unauthenticated attacker can send a crafted POST request to install/step1.php with a malicious db_name value such as x\';system($_GET[cmd]);//. After the installation step completes, the attacker visits install/check.php?cmd= to execute arbitrary system commands. No authentication or prior access is required [3].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code and system commands with the privileges of the web server user. This can lead to full compromise of the Dolibarr application, including data exfiltration, modification, and potential lateral movement within the hosting environment [4].

Mitigation

The vulnerability was fixed by the vendor on the same day it was reported (June 29, 2018) and is resolved in Dolibarr version 7.0.4 and later [3]. Users should upgrade to the latest supported version immediately. No workaround is available for unpatched installations. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.