> On May 17, 2017, at 3:08 PM, Stefan Pietsch <[email protected]> > wrote: > > On 10.05.2017 10:28, FOXMOLE Advisories wrote: >> === FOXMOLE - Security Advisory 2017-02-23 === >> >> Dolibarr ERP & CRM - Multiple Issues >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Affected Versions >> ================= >> Dolibarr 4.0.4 >> >> Issue Overview >> ============== >> Vulnerability Type: SQL Injection, Cross Site Scripting, >> Weak Hash Algorithm without Salt, Weak Password Change >> Method >> Technical Risk: critical >> Likelihood of Exploitation: medium >> Vendor: Dolibarr >> Vendor URL: https://www.dolibarr.org/ >> Credits: FOXMOLE employees Tim Herres and Stefan Pietsch >> Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-02-23.txt >> Advisory Status: Public >> OVE-ID: OVE-20170223-0001 >> CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888 >> CVE URL: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7886 >> https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7887 >> https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7888 >> CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759 >> CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) > > --- snip --- > > Here is a small update to our security advisory. > > An additional CVE ID got assigned for the password change finding: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879> > > > Meanwhile the Dolibarr developers fixed more possible SQL injection bugs > in this git commit: > https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06 > > <https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06> > > They still didn't release a fixed version of the Dolibarr software. > > > > For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST. > They rated "Confidentiality Impact" as partial while I think it is > complete as we have full access to all tables. >
But you don’t have access to the underlying system, such as configuration files with plaintext passwords or similar. Only in a poorly configured MySQL instance would you be able to read files in the first place. I agree that the Confidentiality Impact is partial. > > Regards, > Stefan
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
