Multiple vulnerabilities have been discovered in Dolibarr ERP/CRM, which can be exploited by malicious users to conduct SQL injection attacks and compromise a vulnerable system.

1) Input passed via the "rowid" parameter to adherents/fiche.php not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires the "Members" module within the "Human Resource Management" section to be enabled (disabled by default) and "Read members" permissions.

2) Input passed via the "sql_compat" parameter to admin/tools/export.php is not properly sanitised before being used in an "popen()" call. This can be exploited to inject and execute arbitrary shell commands.

Successful exploitation of this vulnerability requires administrator privileges.

The vulnerabilities are confirmed in version 3.1.1. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by
1) Benjamin Kunz Mejri and Ucha Gobejishvili, Vulnerability-Lab.
2) Nahuel Grisolia.

Changelog
Further details available in Customer Area

Original Advisory
Vulnerability Lab:
http://www.vulnerability-lab.com/get_content.php?id=427

Nahuel Grisolia:
http://seclists.org/fulldisclosure/2012/Apr/78

Deep Links
Links available in Customer Area