Dolibarr: Security Issues?

Created on 8 Apr 2019  路  7Comments  路  Source: Dolibarr/dolibarr

Please let me know how/where to report security issues confidentially? I have couple of them to discuss.

Version:9.0.1

Bug Security (CVE)

All 7 comments

Security reports can be sent to [email protected]

I have sent the details over, please check.
Also the following CVE IDs were assigned to these issues:

  • CVE-2019-11199
  • CVE-2019-11201

I pushed some fixes in branch 9:
01075081cbcd9130a72115cdb50ee61fc394edc1
63c0ab93fb21f86c1b736061af9fa1eee90148fd
9760ed5c8d04f4de446c9e76bb1543371e695fcf

For the CVE-2019-11199, I am not sure if the fix is adequate, some thoughts:

  • The Regex for 'html' is not adequate. First, it is case-sensitive, so if we pass say 'Html', it would work and a browser will render the html.
  • The app will need to block all types of MIME types that may render as HTML.
  • A better fix would be to whitelist the MIME types for the page i.e. restrict the MIME types of an Image. (Since this page deals with rendering of images)

For CVE-2019-11200, any reason why preg_match() is used instead of a more specific method, say in_array() ? The preg_replace () call would be unecessary then.

The reason being an attacker can still bypass the /(\$|%)/ Regex (and this check would be inadequate against other types of $SHELL).

For CVE-2019-11200, any reason why preg_match() is used instead of a more specific method, say in_array() ? The preg_replace () call would be unecessary then.

The reason being an attacker can still bypass the /(\$|%)/ Regex (and this check would be inadequate against other types of $SHELL).

Thanks. I replace the preg_match with an in_array in v10.0.1

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dolibarr95 picture dolibarr95  路  5Comments

jrgonzalezrios picture jrgonzalezrios  路  4Comments

borsti67 picture borsti67  路  5Comments

esprit-libre picture esprit-libre  路  3Comments

rdoursenaud picture rdoursenaud  路  4Comments