Dolibarr ERP CRM 3.0.0-alpha multiple security vulnerabilities

There are multiple security vulnerabilities in Dolibarr ERP CRM 3.0.0-alpha which may allow an attacker to take control of the software.

Software

Software Link: Dolibarr ERP CRM 3.0.0-alpha

Vulnerable Version: <= 3.0.0-alpha

Vendor Notification: Submitted Bug# 31617 at 2010-11-10 06:24:57 PM GMT

# Vendor patch available @ 2010-11-20 12:27:40 PM GMT

# Advisory released @ 2010-11-21 10:52:13 AM GMT

Vulnerabilities

# Cross-Site Scripting (XSS) # (Requires authorized session) # <= 3.0.0-alpha # Patched

The issues are due to failure in multiple files to correctly sanitize user-supplied data in multiple parameters. The Cross-Site Scripting payload will execute whenever the user moves their mouse cursor over the page.

# SQL Injection # (Requires authorized session) # <= 3.0.0-alpha # Patched

The issues are due to failure in multiple files to correctly sanitize user-supplied data in multiple parameters. These vulnerabilities also reveal the local file path and the full SQL query.

Reference

# OWASP: SQL Injection

# OWASP: Cross-Site Scripting (XSS)

# OWASP: Cross-Site Request Forgery

# OWASP: Full Path Disclosure

# OWASP: Information Leakage

Appendix

[TXT] Dolibarr ERP CRM 3.0.0-alpha multiple security vulnerabilities