[Secure-testing-team] Bug#885321: dolibarr: CVE-2017-17897 CVE-2017-17898 CVE-2017-17899 CVE-2017-17900

[Salvatore Bonaccorso]

Source: dolibarr
Version: 3.5.5+dfsg1-1
Severity: grave
Tags: patch security upstream

Hi,

the following vulnerabilities were published for dolibarr.

CVE-2017-17897[0]:
| SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM
| version 6.0.4 allows remote attackers to execute arbitrary SQL commands
| via the id parameter.

CVE-2017-17898[1]:
| Dolibarr ERP/CRM version 6.0.4 does not block direct requests to
| *.tpl.php files, which allows remote attackers to obtain sensitive
| information.

CVE-2017-17899[2]:
| SQL injection vulnerability in adherents/subscription/info.php in
| Dolibarr ERP/CRM version 6.0.4 allows remote attackers to execute
| arbitrary SQL commands via the rowid parameter.

CVE-2017-17900[3]:
| SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM
| version 6.0.4 allows remote attackers to execute arbitrary SQL commands
| via the socid parameter.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17897
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17897
[1] https://security-tracker.debian.org/tracker/CVE-2017-17898
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17898
[2] https://security-tracker.debian.org/tracker/CVE-2017-17899
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17899
[3] https://security-tracker.debian.org/tracker/CVE-2017-17900
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17900

In one case the code moved from subscriptions_info.php to
subscriptions/info.php, still decided to fill one bug report for the
four CVEs since set of fixes and affected versions are same.

If I was wrong on this regard, please clone the bug and adjust
affected versions as needed for the BTS.

Regards,
Salvatore