New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS -> CSRF -> Admin Account Takeover #11671
Comments
Hi! I think it's better to share to security@dolibarr.org than public report. |
Hey, |
tks! |
@gauravnarwani97 @dolibarr95 |
tks :) |
Do you want me to send the email personally? |
@gauravnarwani97 i'm not admin or in the dolibarr team please only send to @dolibarr.org |
@eldy what about this : https://help.github.com/en/articles/adding-a-security-policy-to-your-repository ? Do you think It could be userfull? |
A CVE Number CVE-2019-15062 is assigned to this issue. |
Thanks @gauravnarwani97
We are aware that blacklist to avoid XSS is not enough and we rely ONLY on sanitizing and escaping data as you suggest (even if this issue show we missed some). But we keep the blacklist as another shield (even if it is not the reliable method we trust in). Note that we are also working on an option called "MAIN_SECURITY_CSRF_WITH_TOKEN" (add into home - setup - constant to 1) so the CSRF protection is not done on referrer only but also on a rolling token parameter inside the form. It is already implemented into v10 as hidden feature and need to be stabilized to become a default value. I don't know if this option would have effect or not on this case, it is just to get your feedback... |
@dolibarr95 I added the SECURITY.md file as suggested by https://help.github.com/en/articles/adding-a-security-policy-to-your-repository |
+1 |
Bug
Hello Team, Dolibar 11.0.0-alpha suffers from a Stored XSS in the Label field of Link a new file/document in Linked Files of the User. An attacker could use this feature to introduce a CSRF which would completely takeover admin's account. The protection for CSRF is restricted to referrer header and so if a CSRF request is stored inside the application, this feature is bypassed leading to change of account details. Moving to XSS, the various protections do just display an error message when certain keywords forming an XSS payload. This can be easily bypassed by using an object tag with base64 encoding our payload inside it. For to convert the XSS to CSRF, i'm using the iframe tag inside the object tag to load my CSRF request in its src attribute.
How to takeover admin account? A request is sent to user/card.php where various details of admin can be changed i.e id=1. The attacker just needs the login username of the admin with some random values in firstname and lastname to successfully submit a request. In this request password of admin can be changed, because it does'nt have field to enter previous password for validation. Hence it can be used to submit new password for admin and hence taking over admin account.
Environment
http://localhost/dolibarr/user/document.php?userid=2 -> XSS/CSRF
http://localhost/dolibarr/user/card.php -> CSRF request sent to this URL
Expected and actual behavior
Expected behaviour: The application should block insertion of tags in pages which would lead to these issues.
Actual behaviuor: The application doesn't block tags and hence leads to XSS/CSRF
Steps to reproduce the behavior
Login to user account as we will send a request from user to admin, just to show severity of impact. Here i'm logging into user asd and go to user card and click on Linked FIles Tab
You will see that a user cannot add the Link a new file/document. To bypass this just open inspect element and hover to LINK box.
</td></tr><object data=data:text/html;base64,PGlmcmFtZSBzcmM9Imh0dHA6Ly9sb2NhbGhvc3QvZG9saWJhcnIvY3NyZi5odG1sIj48L2lmcmFtZT4=><tr><td>
in the LabelThis is an iframe with source as a csrf file. <iframe src="http://localhost/dolibarr/csrf.html"> is the payload which is base64 encoded. You can add any source like upload it to your server as csrf.html . A new file will be added on behalf of user.
As you can see in image 6_1.png the admin firstname and lastname is admin admin. Now lets open the user asdasd asd.
Head to Users & Groups tab -> Click on user asdasd asd (6_2.png).
Head to Linked files of user.
If you will see that the iframe is seen on the webpage which executes our CSRF succcessfullly changing the details of admin
Suggested steps
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:
In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.
Here the xss protection is by using blacklist. Please don't use that, instead use the above mentioned approach
The text was updated successfully, but these errors were encountered: