dolibarr/dolibarr

vulnerability cross-site scripting (xss)
severity 4.4
language php
registry packagist

Description

dolibarr is a modern and easy to use web software to manage your business. The error page is vulnerable to (self) XSS because of lack of escaping on $_SERVER['HTTP_USER_AGENT'] variable before printing it.

The flaw is in the dol_print_error function (in the htdocs/core/lib/functions.lib.php file)

PoC

  1. Log into your dolibarr instance
  2. Change your browser user-agent by appending something like <script>alert(document.domain);</script>
  3. Modify the URL in order to throw an error (for example: http://dolibarr/document.php?modulepart=.&attachment=0&file=dddd&&entity=10&&entity=1000&&entity=101&mainmenu=home)
  4. XSS is fired