SQL or Script injection protection in main.inc.php

Using my Dolibarr Financial modules
,
1

Hello people,

I wanted to tell you that every time I try to modify/edit one of the ledger accounts in my chart of accounts (Accounting > Configuration > Chart of accounts > List of ledger accounts) I get this error:

Access refused to... by SQL or Script injection protection in main.inc.php - GETPOST type=1 paramkey=0 paramvalue=action=update&token=d0469427bb5e5e2ebdf12d4af56b624f&id=8&backtopage=/dolibarr/accountancy/admin/account.php?&contextpage=accountingaccountlist page=/dolibarr/accountancy/admin/card.php?action=update&token=d0469427bb5e5e2ebdf12d4af56b624f&id=8&backtopage=%2Fdolibarr%2Faccountancy%2Fadmin%2Faccount.php%3F%26contextpage%3Daccountingaccountlist

I would like to know how to correct it, since it does not allow me to edit accounts, but I have to delete and redo the account again.

Greetings and thank you very much in advance.

PS: sorry for my english

2

This looks like a bug.
Which version (accurate value x.y.z required) of Dolibarr do you use ?
Can you provide a screenshot of the page before you click on submit ?
Is it possible to have an online access to this page. If yes, you can send private access to me eldy@destailleur.fr so i can diagnose…

1 Like
3

Hi,

I am using Dolibarr 15.0.2.

You will find the screenshot attached here.

Yes, you can access my Dolibarr, your credentials have already been sent to the email you indicated.

Thanks a lot.

Bug in accountability
Bug in accountability1347×522 39.1 KB

4

I received your access and found the trouble.
This is a bug in the Web Application Firewall that return a false positive.
The fix is to modify in file main.inc.php, the line

$inj += preg_match(‘/update.+set.+=/i’, $val);

into

$inj += preg_match(‘/update[^&].*set.+=/i’, $val);

1 Like
5

Thank you very much Eldy,

I made the modification in the code line according to your instructions and everything is working perfectly now.

I appreciate it a lot.

Regards.