CVE-2020-14209
published 2020-09-02CVE-2020-14209: Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar…
PriorityP274high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
27.48%
97.8th percentile
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dolibarr | dolibarr | < 11.0.5 | 11.0.5 |
| dolibarr | dolibarr | >= 0 < 11.0.5 | 11.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandAddType application/x-httpd-php .noexe
AddHandler application/x-httpd-php .noexe
Order deny,allow
Allow from all↗
- →Monitor POST requests to user/document.php containing multipart file uploads with dangerous extensions: .pht, .phar, .phpt, .phtml, .php3, .php4, .php5, .php6, .php7, .shtml ↗
- →Alert on POST to user/document.php with action=renamefile where renamefileto ends in .php or other executable extension — indicates file-renaming bypass technique ↗
- →Detect upload of a .htaccess file to the Dolibarr documents/users/ directory, especially containing 'AddType application/x-httpd-php' or 'AddHandler application/x-httpd-php' directives targeting .noexe files ↗
- →Detect GET requests to documents/users/{id}/*.pht, *.phar, *.noexe, *.shtml with a query parameter 'cmd=' — indicates RCE payload execution attempt ↗
- →Monitor POST to user/document.php with action=confirm_deletefile targeting '.htaccess', immediately followed by a rename of an uploaded file to '.htaccess' — classic htaccess swap attack pattern ↗
- →Detect SSI-based exploitation: upload of .shtml files to user document area with Accept header containing OS commands ↗
- ·The exploit targets Dolibarr versions prior to 11.0.5; the vulnerability is fixed in 11.0.5 and later. The exploit requires authenticated access (low-privilege user credentials). ↗
- ·The .noexe protection mechanism in Dolibarr is bypassable via .htaccess upload; detection rules should not rely solely on .noexe extension blocking as a security control. ↗
- ·Three distinct exploitation methods exist (extension-bypass, file-renaming, htaccess); detection coverage must address all three independently. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dolibarr Unrestricted Upload of File with Dangerous Type
osv·2022-05-24
CVE-2020-14209 [HIGH] Dolibarr Unrestricted Upload of File with Dangerous Type
Dolibarr Unrestricted Upload of File with Dangerous Type
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
GHSA
Dolibarr Unrestricted Upload of File with Dangerous Type
ghsa·2022-05-24
CVE-2020-14209 [HIGH] CWE-434 Dolibarr Unrestricted Upload of File with Dangerous Type
Dolibarr Unrestricted Upload of File with Dangerous Type
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
OSV
CVE-2020-14209: Dolibarr before 11
osv·2020-09-02·CVSS 8.8
CVE-2020-14209 [HIGH] CVE-2020-14209: Dolibarr before 11
Dolibarr before 11.0.5 allows low-privilege users to upload files of dangerous types, leading to arbitrary code execution. This occurs because .pht and .phar files can be uploaded. Also, a .htaccess file can be uploaded to reconfigure access control (e.g., to let .noexe files be executed as PHP code to defeat the .noexe protection mechanism).
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161955/Dolibarr-ERP-CRM-11.0.4-Bypass-Code-Execution.htmlhttps://github.com/Dolibarr/dolibarr/releases/tag/11.0.5https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012http://packetstormsecurity.com/files/161955/Dolibarr-ERP-CRM-11.0.4-Bypass-Code-Execution.htmlhttps://github.com/Dolibarr/dolibarr/releases/tag/11.0.5https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2020-012
2020-09-02
Published