: Fixed (not verified)<\/span><\/p>\n<\/div>\n<\/h3>\nDescription<\/h3>\n
Multiple vulnerabilites due to insufficent filtering of the HTTP Header \u201eAccept-Language\u201c.
The unfiltered, but modified, variable \u201e$langs->defaultlang\u201c gets used in multiple locations. This leads to XSS and SQL injection.<\/p>\n
An incomplete list of files using this variable:<\/p>\n
XSS
\u2013 \/dolibarr\/htdocs\/admin\/system\/dolibarr.php (directly accessing $_SERVER[\u201eHTTP_ACCEPT_LANGUAGE\u201c])
\u2013 \/dolibarr\/htdocs\/admin\/mails_templates.php
\u2013 \/dolibarr\/htdocs\/main.inc.php<\/p>\n
SQL Injection
\u2013 \/dolibarr\/htdocs\/admin\/mails_templates.php
No exploit found to exfiltrate data due to the preprocessing of the value<\/p>\n
Proof of Concept (PoC)<\/h3>\n
XSS<\/strong>: Submit a GET request to the given URL and intercept the request. Change the Accept-Language header as stated below and forward the request. A popup should occur displaying the cookie.<\/span><\/p>\n[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0051-XSS.png\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd-security-advisories-usd-2019-0051-XSS\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
<html><\/code><\/pre>\n[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
SQL injection:<\/strong> Submit a GET request to the given URL and intercept the request. Change the Accept-Language header as stated below and forward the request. An error message should be displayed revealing the query.<\/span><\/p>\n[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0051-SQLi.png\" title_text=\"usd-security-advisories-usd-2019-0051-SQLi\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n
\n
\n
Fix<\/h3>\n
Validate the HTTP Header Accept-Language and ignore invalid values. Furthermore filter the value, according to its usage.<\/span><\/p>\n<\/h3>\nTimeline<\/h3>\n\n- 2019-09-06 Vulnerability discovered by Daniel Hoffmann<\/li>\n
- 2019-09-11 First contact with vendor<\/li>\n
- 2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)<\/li>\n
- 2020-02-05 Security advisory released<\/li>\n<\/ul>\n
Credits<\/h3>\n
This security vulnerability was discovered by Daniel Hoffmann of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
usd-2019-0051 | Dolibarr ERP\/CRM ver. 3.0 \u2013 10.0.3 Advisory ID: usd-2019-0051CVE Number: CVE-2019-19209Affected Product: Dolibarr ERP\/CRMAffected Version: 3.0 \u2013 10.0.3Vulnerability Type: Reflected XSS, SQL injectionSecurity Risk: HighVendor URL: https:\/\/www.dolibarr.org\/Vendor Status: Fixed (not verified) Description Multiple vulnerabilites due to insufficent filtering of the HTTP Header \u201eAccept-Language\u201c.The unfiltered, but modified, variable \u201e$langs->defaultlang\u201c gets used in multiple locations. […]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16623","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16623"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16623\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}