> On May 17, 2017, at 3:08 PM, Stefan Pietsch <stefan.piet...@foxmole.com> 
> wrote:
> 
> On 10.05.2017 10:28, FOXMOLE Advisories wrote:
>> === FOXMOLE - Security Advisory 2017-02-23 ===
>> 
>> Dolibarr ERP & CRM  - Multiple Issues
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> 
>> Affected Versions
>> =================
>> Dolibarr 4.0.4
>> 
>> Issue Overview
>> ==============
>> Vulnerability Type: SQL Injection, Cross Site Scripting,
>>                    Weak Hash Algorithm without Salt, Weak Password Change 
>> Method
>> Technical Risk: critical
>> Likelihood of Exploitation: medium
>> Vendor: Dolibarr
>> Vendor URL: https://www.dolibarr.org/
>> Credits: FOXMOLE employees Tim Herres and Stefan Pietsch
>> Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-02-23.txt
>> Advisory Status: Public
>> OVE-ID: OVE-20170223-0001
>> CVE Number: CVE-2017-7886, CVE-2017-7887, CVE-2017-7888
>> CVE URL: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7886
>>         https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7887
>>         https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7888
>> CWE-ID: CWE-79, CWE-89, CWE-327, CWE-620, CWE-759
>> CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
> 
> --- snip ---
> 
> Here is a small update to our security advisory.
> 
> An additional CVE ID got assigned for the password change finding:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879 
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8879>
> 
> 
> Meanwhile the Dolibarr developers fixed more possible SQL injection bugs
> in this git commit:
> https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06
>  
> <https://github.com/Dolibarr/dolibarr/commit/fa290c34fad108ec7c0751c0372ae9c4b4f63b06>
> 
> They still didn't release a fixed version of the Dolibarr software.
> 
> 
> 
> For CVE-2017-7886 I don't agree with the CVSS v2 scoring from the NIST.
> They rated "Confidentiality Impact" as partial while I think it is
> complete as we have full access to all tables.
> 

But you don’t have access to the underlying system, such as configuration files 
with plaintext passwords or similar. Only in a poorly configured MySQL instance 
would you be able to read files in the first place. I agree that the 
Confidentiality Impact is partial.

> 
> Regards,
> Stefan

Attachment: signature.asc
Description: Message signed with OpenPGP

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to