Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2017-17900

CVE-2017-17900:
Dolibarr SQL injection vulnerability in fourn/index.php

9.8

CVSS Score

Basic Information

CVE ID
CVE-2017-17900
GHSA ID
GHSA-6frc-vfw9-wm27
EPSS Score
-
CWE
CWE-89
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dolibarr/dolibarrcomposer< 6.0.56.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of the socid parameter in fourn/index.php. The original code directly accessed $_GET["socid"] without validation, making SQL queries using this parameter vulnerable to injection. The patch explicitly replaces $_GET access with GETPOST("socid", 'int'), which enforces type casting to an integer, neutralizing SQL injection vectors. This line change in the commit diff directly addresses the root cause, confirming the vulnerability's location and mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

SQL inj**tion vuln*r**ility in *ourn/in**x.p*p in *oli**rr *RP/*RM v*rsion *.*.* *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry SQL *omm*n*s vi* t** so*i* p*r*m*t*r.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* t** so*i* p*r*m*t*r in *ourn/in**x.p*p. T** ori*in*l *o** *ir**tly ****ss** $_**T["so*i*"] wit*out v*li**tion, m*kin* SQL qu*ri*s usin* t*is p*r*m*t*r vuln*r**l* to inj**tion. T** p*t** *xpli*itly r*p