CVE-2024-5314
📋 TL;DR
CVE-2024-5314 is a SQL injection vulnerability in Dolibarr ERP-CRM version 9.0.1 that allows remote attackers to execute arbitrary SQL queries through the sortorder and sortfield parameters in /dolibarr/admin/dict.php. This could lead to complete database compromise, exposing all stored information including sensitive business data, user credentials, and configuration details. Organizations running vulnerable Dolibarr instances are affected.
💻 Affected Systems
- Dolibarr ERP-CRM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing attackers to exfiltrate all stored data, modify or delete records, and potentially gain administrative access to the entire ERP system.
Likely Case
Data theft of sensitive business information, customer records, financial data, and user credentials leading to business disruption and compliance violations.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permissions restricting query execution.
🎯 Exploit Status
Exploitation requires access to the admin interface but SQL injection via URL parameters is straightforward for attackers with basic web application testing skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 9.0.1
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-dolibarrs-erp-cms
Restart Required: No
Instructions:
1. Upgrade Dolibarr to the latest version. 2. Apply security patches if available for version 9.0.1. 3. Verify the /dolibarr/admin/dict.php file has been updated with proper input validation.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the vulnerable admin interface using network controls or authentication.
# Configure web server (Apache example)
# In .htaccess or virtual host config:
<Location /dolibarr/admin>
Require ip 192.168.1.0/24
# Or use authentication
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
</Location>
Input Validation Filter
allAdd input validation for sortorder and sortfield parameters before processing.
# PHP code snippet to add to dict.php
$allowed_sortfields = ['field1', 'field2', 'field3'];
$allowed_sortorders = ['ASC', 'DESC'];
if (!in_array($_GET['sortfield'], $allowed_sortfields)) {
$sortfield = 'default_field';
}
if (!in_array($_GET['sortorder'], $allowed_sortorders)) {
$sortorder = 'ASC';
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Dolibarr server from untrusted networks.
- Deploy a web application firewall (WAF) with SQL injection protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Check if running Dolibarr version 9.0.1 and examine the /dolibarr/admin/dict.php file for lack of input validation on sortorder and sortfield parameters.Check Version:
Check the Dolibarr version in the admin interface or examine the main.inc.php file for version information.Verify Fix Applied:
Verify the Dolibarr version is updated beyond 9.0.1 and test the /dolibarr/admin/dict.php endpoint with SQL injection payloads to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs from the Dolibarr application
- Multiple requests to /dolibarr/admin/dict.php with unusual parameter values
- Error logs showing SQL syntax errors from the dict.php endpoint
Network Indicators:
- HTTP requests to /dolibarr/admin/dict.php containing SQL keywords in parameters
- Unusual database connection patterns from the web server
SIEM Query:
source="web_logs" AND uri_path="/dolibarr/admin/dict.php" AND (param="sortorder" OR param="sortfield") AND (value="UNION" OR value="SELECT" OR value="INSERT" OR value="DELETE" OR value="UPDATE")