Dolibarr: several serious security issues (CVE-2017-7886, CVE-2017-7887, CVE-2017-7888)

Created on 10 Mar 2017  路  12Comments  路  Source: Dolibarr/dolibarr

Bug

We found several serious security issues in Dolibarr version 4.0.4.
At least one leads to complete application compromise.

As far as I can see you have no mail address for handling security issues.

Please publish a valid PGP key for sending the details.

Environment

  • Version: 4.0.4
  • OS: Debian stretch 64-bit
  • Web server: Apache 2.4.25
  • PHP: 7.0.16
  • Database: PostgreSQL 9.6.2

Most helpful comment

I think this isn't getting the required attention.

I contacted you via email, GitHub and Twitter and it seems you're not interested that our findings can be securely transmitted to you.

Please publish a PGP key.

All 12 comments

HI.
You can push your notice at [email protected]

Thanks.
I'd like to send the information privately to you, so please publish your PGP key.

I think this isn't getting the required attention.

I contacted you via email, GitHub and Twitter and it seems you're not interested that our findings can be securely transmitted to you.

Please publish a PGP key.

You can send data to [email protected]. This is my private email.

As I didn't get any response from you via mail, I'll continue here.

Did you have a look into our security advisory?

We will publish our findings at the latest by the 10th of May.

I repeat previous answers: You can send security advisories to [email protected]. Other companies succeed to make their report with this dedicated channel. Did you get an email bounce when you tried ?

I sent several mails from my company address to [email protected] and did not get any bounces. I will try again from my gmail account. Please check.

I sent our advisory to [email protected] three days ago.

DId you have a look into it?

Please note the following CVE numbers for further reference to our findings:

  • CVE-2017-7886
  • CVE-2017-7887
  • CVE-2017-7888

Our updated advisory text was sent to [email protected] some minutes ago.

The mail was successfully delivered:
<[email protected]>: delivery via aspmx.l.google.com[74.125.133.27]:25: 250 2.0.0 OK 1492508918 t18si19894283wra.90 - gsmtp

FIX CVE-2017-7888 in
acfaec684d71bcd85635ce8efecc43d8afd9b5b1
Salt can already be set by an option. Automatically set with 6.0 in new install.

FIX CVE-2017-7887 in
6d01bd712db021a03a8bd78a461e63c26fa63e44
Available in 5.0.3

FIX CVE-2017-7886 in
9c482b9f2a021604e29b7321e2e18eed60d08932
Available in 4.0.7

Was this page helpful?
0 / 5 - 0 ratings