CVE-2021-37517
📋 TL;DR
This CVE describes an access control vulnerability in Dolibarr ERP/CRM's forgot-password function that allows email addresses as usernames, enabling attackers to cause denial of service. The vulnerability affects Dolibarr versions before 14.0.0, potentially impacting any organization using vulnerable versions of this open-source ERP/CRM software.
💻 Affected Systems
- Dolibarr ERP/CRM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for legitimate users attempting password resets, potentially locking out administrators and disrupting business operations.
Likely Case
Targeted DoS attacks against specific users by flooding password reset requests, causing temporary service disruption.
If Mitigated
Minimal impact with proper rate limiting and email validation controls in place.
🎯 Exploit Status
Exploitation requires no authentication and involves simple HTTP requests to the password reset endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.0.0
Vendor Advisory: https://github.com/Dolibarr/dolibarr/commit/b57eb8284e830e30eefb26e3c5ede076ea24037c
Restart Required: No
Instructions:
1. Backup your Dolibarr installation and database. 2. Download Dolibarr 14.0.0 or later from the official repository. 3. Replace the existing installation with the new version. 4. Verify the forgot-password functionality works correctly.
🔧 Temporary Workarounds
Implement Rate Limiting
linuxAdd rate limiting to the forgot-password endpoint to prevent abuse.
# Configure web server rate limiting (nginx example):
# Add to nginx configuration:
limit_req_zone $binary_remote_addr zone=passwordreset:10m rate=1r/m;
location /public/forgottenpassword.php {
limit_req zone=passwordreset burst=5 nodelay;
}
Disable Password Reset
allTemporarily disable the forgot-password functionality if not critical.
# Rename or remove the forgotten password file:
mv /path/to/dolibarr/public/forgottenpassword.php /path/to/dolibarr/public/forgottenpassword.php.disabled
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block excessive password reset requests
- Monitor and alert on unusual password reset activity patterns
🔍 How to Verify
Check if Vulnerable:
Check if your Dolibarr version is below 14.0.0 by visiting /admin/about.php or checking the version in the admin interface.Check Version:
grep '\$version' /path/to/dolibarr/htdocs/includes/main.inc.php | head -1Verify Fix Applied:
After upgrading to 14.0.0 or later, test the forgot-password functionality to ensure it properly validates requests and implements rate limiting.📡 Detection & Monitoring
Log Indicators:
- Multiple failed password reset attempts from single IP
- Unusual volume of requests to /public/forgottenpassword.php
Network Indicators:
- High volume of POST requests to password reset endpoint
- Pattern of requests with varying email addresses
SIEM Query:
source="web_logs" AND (url="/public/forgottenpassword.php" OR url="/forgottenpassword.php") | stats count by src_ip | where count > 10