dolibarr-7-0-3-rce-install-step1-db-name

install/step1.php db_name RCE in Dolibarr ERP CRM 7.0.3, critical data breach risk

What happened

The striking bit is the file and the parameter, install/step1.php and the db_name field. Dolibarr ERP CRM 7.0.3 contains a remote code evaluation vulnerability that lets an unauthenticated attacker inject PHP via the db_name parameter and then run commands through the check.php cmd parameter.

The advisory flags this as Severity 9.8, critical. Who runs Dolibarr ERP CRM 7.0.3 is exposed, full stop. When this was discovered or first reported has not been disclosed, and there’s no vendor timeline in the information provided here.

Why this matters to businesses

Because Dolibarr is an ERP and CRM, compromise can hit core business processes, customer records and invoicing systems. Customers, partners and suppliers that rely on those systems can get dragged in, and internal teams spend days on damage control instead of delivering work.

Since the flaw allows arbitrary code execution without authentication, the obvious consequences are data theft, fraudulent invoices, encrypted systems and prolonged outages. Boards will be asked awkward questions about supplier risk management and patching cadence, and regulators may want answers if personal data is involved.

Look, leaving installer pages reachable is a very avoidable habit. Patching later thinking, shared admin accounts and unchanged installer scripts are classic bits of negligence that make incidents like this possible.

If you’ve got the same weakness, here’s what happens next

If your install has the vulnerable endpoints exposed, an attacker can upload or run a web shell, gain persistence and move laterally to databases or file shares. Since the entry point is unauthenticated, compromise can be quick and quiet.

Following that, you may see data quietly exfiltrated, automated ransomware deployed, or fraud attempts where attacker-controlled code alters invoices or payment details. Recovery costs spiral, customers call, and leadership time vanishes into incident calls.

What to do on Monday morning

1. Inventory internet-facing Dolibarr instances and search for install/step1.php and check.php endpoints, block access at the edge if found.
2. Remove or lock installer pages and any leftover setup scripts immediately, or restrict them to internal networks only.
3. Check web logs for POST requests to install/step1.php and GETs to check.php with cmd parameters, preserve logs for incident handling.
4. Rotate database and admin credentials that might be exposed, and force password changes for service accounts if you cannot prove they were not accessed.
5. Isolate affected servers and take forensic snapshots before making changes, then restore from clean backups if compromise is confirmed.
6. Contact your vendor or community channel for a confirmed patch or mitigation, and apply updates as soon as they’re available.
7. Harden web application controls, add WAF rules to block suspicious POSTs targeting install/step1.php and monitor for web-shell indicators.

Where ISO standards fit, without the sales pitch

Having an ISO 27001 aligned management system reduces the chance that installer pages get left live in production, because it forces the organisation to control change, manage asset inventory and document access control. See Synergos’ ISO 27001 page for a plain explanation of how those controls hang together, https://synergosconsultancy.co.uk/iso27001/.

When continuity and recovery matter, a BCMS keeps recovery steps rehearsed so you can restore critical services while forensics happens, see https://synergosconsultancy.co.uk/iso-22301-business-continuity-management-system-bcms/.

For baseline cyber hygiene and supplier checks, an IASME-style certification framework helps codify controls and prove to partners you’re not leaving installer scripts on the public web, see https://synergosconsultancy.co.uk/iasme-certifications/.

Standards won’t stop every flaw, but they make simple, high-value mistakes harder to keep doing.

Take a breath, then act. If you run Dolibarr ERP CRM 7.0.3, treat this as urgent and start with the installer endpoints and logs.