CVE-2021-33816 – CVE-2021-33816 allows remote attackers to execu... (How to Fix)

Q: What is the severity of CVE-2021-33816?

CVE-2021-33816 has a CVSS score of 9.8 (CRITICAL). CVE-2021-33816 allows remote attackers to execute arbitrary PHP code on Dolibarr installations through the website builder module. The vulnerability exists because the application blocks common PHP execution functions (system, exec, shell_exec) but fails to block backtick execution, enabling command injection. All Dolibarr 13.0.2 installations with the website builder module enabled are affected.

📋 TL;DR

CVE-2021-33816 allows remote attackers to execute arbitrary PHP code on Dolibarr installations through the website builder module. The vulnerability exists because the application blocks common PHP execution functions (system, exec, shell_exec) but fails to block backtick execution, enabling command injection. All Dolibarr 13.0.2 installations with the website builder module enabled are affected.

💻 Affected Systems

Products:

Dolibarr ERP/CRM

Versions: 13.0.2 specifically

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the website builder module to be enabled. Earlier versions may also be affected but 13.0.2 is confirmed vulnerable.

📦 What is this software?

Dolibarr Erp\/crm by Dolibarr

View all CVEs affecting Dolibarr Erp\/crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands as the web server user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Remote code execution leading to web shell installation, data exfiltration, or cryptocurrency mining malware deployment.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication on internet-facing systems.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or through phishing/social engineering, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit details available in security advisories. The vulnerability is straightforward to exploit once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 13.0.3 and later

Vendor Advisory: https://www.dolibarr.org/forum/dolibarr-news-announcements-16/security-release-dolibarr-13-0-3-24933

Restart Required: No

Instructions:

1. Backup your Dolibarr installation and database. 2. Download Dolibarr 13.0.3 or later from the official website. 3. Replace the existing installation files with the new version. 4. Verify the website builder module no longer accepts backtick commands.

🔧 Temporary Workarounds

Disable Website Builder Module

all

Temporarily disable the vulnerable website builder module to prevent exploitation.

Navigate to Dolibarr admin panel > Modules/Applications > Disable 'Website' module

Web Application Firewall Rule

all

Block requests containing backtick characters in website builder parameters.

Add WAF rule to block patterns like `.*\`.*` in POST/PUT parameters to website builder endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate Dolibarr from critical systems
Deploy a web application firewall with rules to detect and block command injection attempts

🔍 How to Verify

Check if Vulnerable:

Check if running Dolibarr version 13.0.2 with website builder module enabled. Test by attempting backtick command execution in website builder parameters.

Check Version:

Check Dolibarr admin panel or view includes/main.inc.php for version information

Verify Fix Applied:

After patching, verify version is 13.0.3 or later and test that backtick commands no longer execute in website builder.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to website builder endpoints containing backtick characters
Web server logs showing command execution patterns
Unexpected PHP process execution from web user

Network Indicators:

Unusual outbound connections from web server to external IPs
Command and control traffic patterns

SIEM Query:

source="web_logs" AND (url="*website*" OR url="*builder*") AND (request="*\`*" OR request="*%60*")

📊 Metadata

CVE ID: CVE-2021-33816

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2021/Nov/39 Exploit,Mailing List,Third Party Advisory
https://trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txt Exploit,Third Party Advisory
https://trovent.io/security-advisory-2106-01 Exploit,Third Party Advisory
http://seclists.org/fulldisclosure/2021/Nov/39 Exploit,Mailing List,Third Party Advisory
https://trovent.github.io/security-advisories/TRSA-2106-01/TRSA-2106-01.txt Exploit,Third Party Advisory
https://trovent.io/security-advisory-2106-01 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33816, you might also want to check these: