cbcvebase.
CVE-2020-14209
published 2020-09-02

CVE-2020-14209: Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar…

PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
27.48%
97.8th percentile
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).

Affected

2 ranges
VendorProductVersion rangeFixed in
dolibarrdolibarr< 11.0.511.0.5
dolibarrdolibarr>= 0 < 11.0.511.0.5

Detection & IOCsextracted from sources · hover to see the quote

pathuser/document.php
pathdocuments/users/{id}/
filename.htaccess
filename.pht
filename.phar
filename.noexe
commandAddType application/x-httpd-php .noexe AddHandler application/x-httpd-php .noexe Order deny,allow Allow from all
urlhttp://127.0.0.1/htdocs/index.php
urlhttp://127.0.0.1/htdocs/user/document.php
  • Monitor POST requests to user/document.php containing multipart file uploads with dangerous extensions: .pht, .phar, .phpt, .phtml, .php3, .php4, .php5, .php6, .php7, .shtml
  • Alert on POST to user/document.php with action=renamefile where renamefileto ends in .php or other executable extension — indicates file-renaming bypass technique
  • Detect upload of a .htaccess file to the Dolibarr documents/users/ directory, especially containing 'AddType application/x-httpd-php' or 'AddHandler application/x-httpd-php' directives targeting .noexe files
  • Detect GET requests to documents/users/{id}/*.pht, *.phar, *.noexe, *.shtml with a query parameter 'cmd=' — indicates RCE payload execution attempt
  • Monitor POST to user/document.php with action=confirm_deletefile targeting '.htaccess', immediately followed by a rename of an uploaded file to '.htaccess' — classic htaccess swap attack pattern
  • Detect SSI-based exploitation: upload of .shtml files to user document area with Accept header containing OS commands
  • ·The exploit targets Dolibarr versions prior to 11.0.5; the vulnerability is fixed in 11.0.5 and later. The exploit requires authenticated access (low-privilege user credentials).
  • ·The .noexe protection mechanism in Dolibarr is bypassable via .htaccess upload; detection rules should not rely solely on .noexe extension blocking as a security control.
  • ·Three distinct exploitation methods exist (extension-bypass, file-renaming, htaccess); detection coverage must address all three independently.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.