GHSA-49xw-hw94-fmv2: Dolibarr has Remote Code Execution Vulnerability (Bypass)

The Dolibarr backend provides the function of adding Menu, and supports setting permissions for the added Menu:

This is the trigger point of the vulnerability. The submitted permission can be php code, and it will be executed when viewing the created Menu:

• htdocs/admin/menus/edit.php

As you can see, in edit.php, if the created menu is set to $menu->perms, the dol_eval() method will be called. Following the dol_eval() method, we can see that it will filter the dangerous php functions in $menu->perms through the blocklist set in $forbiddenphpfunctions:

However, the blocklist here is not comprehensive. For example, the include_once and require_once functions can easily pass the blocklist check, which will cause file inclusion vulnerabilities. Moreover, if the allow_url_include option is enabled in php.ini, arbitrary code execution will occur. The most serious thing is that we can cooperate with the file upload at /htdocs/user/document.php?id=1&uploadform=1 to achieve more general arbitrary code execution.