usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3

Advisory ID: usd-2019-0052
CVE Number: CVE-2019-19210
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.3
Vulnerability Type: Stored XSS
Security Risk: High
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)

Description

An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension „.noexe“, document.php serves files with the content-type „text/html“. This also works with SVG files.

Proof of Concept (PoC)

test.html:

<html>
<body>
<script>alert("XSS")</script>
</body>
</html>

Request the uploaded document:

/dolibarr/htdocs/document.php?modulepart=produit&entity=1&attachment=0&file=1234%2F1234-test.html.noexe

Fix

Do not serve user files with an content-type that allows the interpretation of HTML, for example use „application/octet-stream“.

Timeline

2019-09-06 Vulnerability discovered by Daniel Hoffmann
2019-09-11 First contact with vendor
2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)
2020-02-05 Security advisory released

Credits

This security vulnerability was discovered by Daniel Hoffmann of usd AG.

usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3

Description

Proof of Concept (PoC)

Fix

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

Security Advisories zu hugocms und Gitea

Security Advisory zu AXIS Webcam

Folgen Sie uns