CVE-2018-10094
published 2018-05-22CVE-2018-10094: SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without…
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
71.24%
99.3th percentile
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | < 7.0.2 | 7.0.2 |
| dolibarr | dolibarr | >= 0 < 7.0.2 | 7.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23↗
command1) union select 0,1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#↗
command%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23↗
- →Monitor GET requests to /dolibarr/adherents/list.php where the 'statut' parameter contains URL-encoded SQL injection payloads (percent-encoded digits and SQL keywords such as union/select). ↗
- →The SQL injection filter bypass relies on URL-encoding the payload to evade keyword checks for 'union', 'select', 'insert', etc. Detect fully percent-encoded SQL keywords in GET parameters targeting Dolibarr endpoints. ↗
- →The attack targets integer parameters without quotes in SQL queries; look for non-numeric values (especially containing closing parentheses and SQL keywords) supplied to integer-typed GET parameters in Dolibarr. ↗
- →The Metasploit auxiliary module 'auxiliary/gather/dolibarr_creds_sqli' exploits this vulnerability to harvest usernames and encrypted passwords; alert on its use or matching HTTP request patterns. ↗
- →Look for the Dolibarr session cookie name pattern 'DOLSESSID_<hex>' in HTTP logs as an indicator of authenticated Dolibarr sessions, which are required for this exploit. ↗
- ·The vulnerability only affects Dolibarr versions prior to 7.0.2; the injection is possible because the escape() wrapper uses real_escape_string() which does not protect integer parameters that are not quoted in SQL queries. ↗
- ·Exploitation requires an authenticated session; the Metasploit module and PoC both operate as an authenticated user. ↗
- ·The built-in SQL keyword filter (test_sql_and_script_inject) only checks for plaintext keywords; fully URL-encoded payloads bypass it entirely, so WAF rules must decode percent-encoding before matching. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dolibarr SQL injection vulnerability
ghsa·2022-05-14
CVE-2018-10094 [CRITICAL] CWE-89 Dolibarr SQL injection vulnerability
Dolibarr SQL injection vulnerability
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
OSV
Dolibarr SQL injection vulnerability
osv·2022-05-14
CVE-2018-10094 [CRITICAL] Dolibarr SQL injection vulnerability
Dolibarr SQL injection vulnerability
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
OSV
CVE-2018-10094: SQL injection vulnerability in Dolibarr before 7
osv·2018-05-22·CVSS 9.8
CVE-2018-10094 [CRITICAL] CVE-2018-10094: SQL injection vulnerability in Dolibarr before 7
SQL injection vulnerability in Dolibarr before 7.0.2 allows remote attackers to execute arbitrary SQL commands via vectors involving integer parameters without quotes.
No detection rules found.
Exploit-DB
Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection
exploitdb·2018-05-30·CVSS 9.8
CVE-2018-10094 [CRITICAL] Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection
Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection
---
# [CVE-2018-10094] Dolibarr SQL Injection vulnerability
## Description
Dolibarr is an "Open Source ERP & CRM for Business" used by many
companies worldwide.
It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
or as distribution packages (e.g .deb package).
**Threat**
The application does not handle user input properly and allows execution
of arbitrary SQL commands on the database.
**Expectation**
Prepared queries should be used in order to avoid SQL injection in user
input.
## Vulnerability type
**CVE ID**: CVE-2018-10094
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 7.5
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
## D
Metasploit
Dolibarr Gather Credentials via SQL Injection
metasploit
Dolibarr Gather Credentials via SQL Injection
Dolibarr Gather Credentials via SQL Injection
This module enables an authenticated user to collect the usernames and encrypted passwords of other users in the Dolibarr ERP/CRM via SQL injection.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2018/05/21/1https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLoghttps://github.com/Dolibarr/dolibarr/commit/7ade4e37f24d6859987bb9f6232f604325633fddhttps://sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerability/https://www.exploit-db.com/exploits/44805/http://www.openwall.com/lists/oss-security/2018/05/21/1https://github.com/Dolibarr/dolibarr/blob/7.0.2/ChangeLoghttps://github.com/Dolibarr/dolibarr/commit/7ade4e37f24d6859987bb9f6232f604325633fddhttps://sysdream.com/news/lab/2018-05-21-cve-2018-10094-dolibarr-sql-injection-vulnerability/https://www.exploit-db.com/exploits/44805/
2018-05-22
Published