usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3

Advisory ID: usd-2019-0052
CVE Number: CVE-2019-19210
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.3
Vulnerability Type: Stored XSS
Security Risk: High
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)

Description

An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension „.noexe“, document.php serves files with the content-type „text/html“. This also works with SVG files.

Proof of Concept (PoC)

test.html:

<html>
<body>
<script>alert("XSS")</script>
</body>
</html>

Request the uploaded document:

/dolibarr/htdocs/document.php?modulepart=produit&entity=1&attachment=0&file=1234%2F1234-test.html.noexe

Fix

Do not serve user files with an content-type that allows the interpretation of HTML, for example use „application/octet-stream“.

Timeline

2019-09-06 Vulnerability discovered by Daniel Hoffmann
2019-09-11 First contact with vendor
2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)
2020-02-05 Security advisory released

Credits

This security vulnerability was discovered by Daniel Hoffmann of usd AG.

usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3

Description

Proof of Concept (PoC)

Fix

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns