oss-sec mailing list archives
Re: Dolibarr ERP & CRM - Multiple Issues
From: Brandon Perry <bperry.volatile () gmail com>
Date: Wed, 17 May 2017 16:21:42 -0500
On May 17, 2017, at 3:08 PM, Stefan Pietsch <stefan.pietsch () foxmole com> wrote: On 10.05.2017 10:28, FOXMOLE Advisories wrote:=== FOXMOLE - Security Advisory 2017-02-23 === Dolibarr ERP & CRM - Multiple Issues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Affected Versions ================= Dolibarr 4.0.4 Issue Overview ============== Vulnerability Type: SQL Injection, Cross Site Scripting, Weak Hash Algorithm without Salt, Weak Password Change Method Technical Risk: critical Likelihood of Exploitation: medium Vendor: Dolibarr Vendor URL: https://www.dolibarr.org/ Credits: FOXMOLE employees Tim Herres and Stefan Pietsch Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-02-23.txt Advisory Status: Public OVE-ID: OVE-20170223-0001 CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888 CVE URL: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7886 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7887 https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7888 CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759 CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)--- snip --- Here is a small update to our security advisory. An additional CVE ID got assigned for the password change finding: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879> Meanwhile the Dolibarr developers fixed more possible SQL injection bugs in this git commit: https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06 <https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06> They still didn't release a fixed version of the Dolibarr software. For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST. They rated "Confidentiality Impact" as partial while I think it is complete as we have full access to all tables.
But you don’t have access to the underlying system, such as configuration files with plaintext passwords or similar. Only in a poorly configured MySQL instance would you be able to read files in the first place. I agree that the Confidentiality Impact is partial.
Regards, Stefan
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- Dolibarr ERP & CRM - Multiple Issues FOXMOLE Advisories (May 10)
- Re: Dolibarr ERP & CRM - Multiple Issues Stefan Pietsch (May 17)
- Re: Dolibarr ERP & CRM - Multiple Issues Brandon Perry (May 17)
- Re: Dolibarr ERP & CRM - Multiple Issues Stefan Pietsch (May 17)