CVE-2018-25357 Overview
CVE-2018-25357 is a remote code execution vulnerability in Dolibarr ERP/CRM version 7.0.3. The flaw resides in the installation workflow, specifically in install/step1.php, which fails to sanitize the db_name POST parameter before writing it to a PHP configuration file. Unauthenticated attackers can inject arbitrary PHP code through this parameter and then trigger execution by issuing a GET request to check.php with a cmd parameter. The vulnerability is classified under [CWE-94] Improper Control of Generation of Code (Code Injection) and carries a CVSS v4.0 score of 9.3.
Critical Impact
Unauthenticated remote attackers can execute arbitrary operating system commands on affected Dolibarr ERP/CRM 7.0.3 servers, leading to complete host compromise.
Affected Products
- Dolibarr ERP/CRM 7.0.3
- Installations exposing the install/ directory after setup
- Self-hosted Dolibarr deployments running the vulnerable PHP code path
Discovery Timeline
- 2026-05-23 - CVE-2018-25357 published to the National Vulnerability Database (NVD)
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2018-25357
Vulnerability Analysis
Dolibarr ERP/CRM 7.0.3 ships with an interactive installer that accepts database configuration values through a POST request to install/step1.php. The installer writes user-supplied values, including db_name, directly into a generated PHP configuration file without input validation or escaping. Because the configuration file is later included by other scripts, any PHP syntax injected into db_name is parsed and executed by the interpreter.
The second-stage endpoint, check.php, reads a cmd GET parameter and passes it to a command execution sink that the attacker planted during step one. The combination produces a reliable unauthenticated remote code execution chain that requires no user interaction.
Root Cause
The root cause is unsanitized input flowing into generated PHP source. The installer treats db_name as a trusted string and concatenates it into a file that is later evaluated by the PHP interpreter. No allowlist, type check, or escaping is applied, so attacker-controlled PHP statements become part of the application's executable code.
Attack Vector
Exploitation proceeds in two HTTP requests. First, the attacker sends a POST request to install/step1.php containing a db_name value that closes the expected string context and appends PHP code implementing a command dispatcher tied to the cmd GET parameter. Second, the attacker requests check.php?cmd=<command> to invoke the planted dispatcher and run arbitrary operating system commands under the privileges of the web server. The full chain is reproducible against any Dolibarr 7.0.3 instance whose install/ directory remains web-accessible. Technical details are documented in the Exploit-DB entry #44964 and the VulnCheck advisory.
Detection Methods for CVE-2018-25357
Indicators of Compromise
- POST requests to install/step1.php containing PHP tokens such as <?php, system(, passthru(, or $_GET[ inside the db_name parameter
- GET requests to check.php carrying a cmd parameter, especially from unauthenticated sources
- Unexpected modifications to Dolibarr configuration files under the htdocs/conf/ directory after initial setup
- Web server processes spawning shell utilities (sh, bash, cmd.exe, powershell.exe) shortly after access to install/ URLs
Detection Strategies
- Inspect web server access logs for any post-installation traffic to install/step1.php and check.php
- Alert on HTTP request bodies that contain PHP delimiters within form fields submitted to the Dolibarr installer
- Correlate process creation events on the web host with preceding HTTP requests to Dolibarr installation endpoints
Monitoring Recommendations
- Enable a web application firewall (WAF) rule that blocks PHP tags and dangerous function names in installer form parameters
- Continuously verify that the install/ directory is removed or access-restricted after Dolibarr is provisioned
- Forward web server, PHP-FPM, and host process telemetry to a centralized analytics platform for cross-source correlation
How to Mitigate CVE-2018-25357
Immediate Actions Required
- Upgrade Dolibarr ERP/CRM to a supported version beyond 7.0.3 that addresses the installer code injection flaw
- Remove or restrict network access to the install/ directory on all production deployments
- Audit Dolibarr configuration files for unexpected PHP code introduced through the db_name field
- Rotate database credentials and any secrets stored on hosts that ran the vulnerable installer while exposed
Patch Information
No vendor advisory URL is referenced in the NVD entry for CVE-2018-25357. Administrators should obtain the latest release from the Dolibarr official website or the GitHub Dolibarr repository and apply it to all instances running 7.0.3.
Workarounds
- Delete the htdocs/install/ directory immediately after completing initial Dolibarr setup
- Place the application behind authentication or IP allowlisting at the reverse proxy layer until patched
- Deploy WAF signatures that reject installer requests containing PHP code in form parameters
- Run the PHP process under a least-privileged account to limit the impact of successful command execution
# Configuration example: restrict access to the Dolibarr install directory in Apache
<Directory "/var/www/dolibarr/htdocs/install">
Require ip 127.0.0.1
Require all denied
</Directory>
# Or remove the directory entirely once setup is complete
rm -rf /var/www/dolibarr/htdocs/install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
