CVE-2021-25957
📋 TL;DR
CVE-2021-25957 is an authentication bypass vulnerability in Dolibarr's password reset functionality that allows low-privileged attackers to reset any user's password and take over their account. This affects Dolibarr versions 2.8.1 through 13.0.2. Attackers can compromise any user account including administrators, leading to complete system compromise.
💻 Affected Systems
- Dolibarr ERP/CRM
📦 What is this software?
Dolibarr by Dolibarr
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover where an attacker resets administrator passwords, gains full control of the Dolibarr instance, accesses sensitive business data, and potentially pivots to other systems.
Likely Case
Account takeover of regular users leading to unauthorized access to business data, financial information, and potential privilege escalation within the application.
If Mitigated
Limited impact if strong network segmentation, monitoring, and additional authentication factors are in place, though the vulnerability still allows account compromise.
🎯 Exploit Status
Exploitation requires low-privileged access to the application. The vulnerability is well-documented with public proof-of-concept available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.0.3 and later
Vendor Advisory: https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377
Restart Required: No
Instructions:
1. Backup your Dolibarr installation and database. 2. Download Dolibarr version 13.0.3 or later from the official repository. 3. Replace the vulnerable files with the patched version. 4. Clear application caches if applicable. 5. Test the password reset functionality.
🔧 Temporary Workarounds
Disable Password Reset Functionality
allTemporarily disable the password reset feature to prevent exploitation while planning an upgrade.
# Edit Dolibarr configuration to disable password reset
# Modify htdocs/core/modules/security/generateNewPassword.php or similar files
# Set $conf->global->MAIN_DISABLE_PASSWORD_RESET = 1; in configuration
Implement Rate Limiting
linuxAdd rate limiting to password reset requests to make exploitation more difficult.
# Configure web server rate limiting (example for Apache)
# In .htaccess: SetEnvIf Request_URI "^/password-reset" ratelimit
# LimitRequestBody 102400
# LimitRequestFields 50
🧯 If You Can't Patch
- Implement network segmentation to isolate Dolibarr from critical systems
- Enable multi-factor authentication for all user accounts
🔍 How to Verify
Check if Vulnerable:
Check your Dolibarr version by navigating to the About page in the admin interface or examining the version.php file in the installation directory.Check Version:
grep '\$version' htdocs/includes/version.php | head -1Verify Fix Applied:
After patching, test the password reset functionality with a test account to ensure it properly validates reset tokens and prevents unauthorized resets.📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for different users from same IP
- Successful password resets without corresponding email verification logs
- Unusual account access patterns following password resets
Network Indicators:
- HTTP POST requests to password reset endpoints with manipulated parameters
- Rapid sequence of password reset attempts
SIEM Query:
source="dolibarr.log" AND ("password reset" OR "newpassword") | stats count by src_ip, user🔗 References
- https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957
- https://github.com/Dolibarr/dolibarr/commit/87f9530272925f0d651f59337a35661faeb6f377
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25957
