Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML Injection #2857

Closed
naxonez opened this issue May 20, 2015 · 10 comments
Closed

HTML Injection #2857

naxonez opened this issue May 20, 2015 · 10 comments
Assignees
Labels
Bug This is a bug (something does not work as expected) Security This is a bug identified as a security bug Volunteer wanted (reserved tag) External developers are welcome to work on this.

Comments

@naxonez
Copy link

naxonez commented May 20, 2015

[*] Page affected

  • dolibarr-3.7.0/htdocs/societe/societe.php
  • dolibarr-3.7.0/htdocs/societe/admin/societe.php

[*] Fields affected

  • Bussiness Search (search_nom)

[*] Poc
You only need to inject the script code in this field like a:

"> < img src='http://www.xxx.com >

@rdoursenaud rdoursenaud added version 3.7.0 Priority - High / Blocking This is a security hole or a bug that make a feature not possible to use or very expected feature. Bug This is a bug (something does not work as expected) labels May 20, 2015
@rdoursenaud
Copy link
Member

All left menu search fields are affected! (Contacts, products, members…)

This would allow to craft a malicious URL embedding a nasty script.

Good catch!

@naxonez
Copy link
Author

naxonez commented May 20, 2015

Thanks!!

I hope that this help you to increase the security of this product :))

Regards.

@rdoursenaud
Copy link
Member

Versions 3.5 and 3.6 also affected!

@rdoursenaud
Copy link
Member

This is everywhere. Will take a bit of time to fix'em all…

@eldy
Copy link
Member

eldy commented Jun 8, 2015

Patch was merged so i close the bug

@eldy eldy closed this as completed Jun 8, 2015
@rdoursenaud rdoursenaud reopened this Jun 8, 2015
@rdoursenaud rdoursenaud added the Volunteer wanted (reserved tag) External developers are welcome to work on this. label Jun 8, 2015
@eldy eldy removed Volunteer wanted (reserved tag) External developers are welcome to work on this. Priority - High / Blocking This is a security hole or a bug that make a feature not possible to use or very expected feature. labels Jul 7, 2015
@rdoursenaud rdoursenaud self-assigned this Jul 8, 2015
@eldy eldy added the Security This is a bug identified as a security bug label Aug 18, 2015
@marcosgdf
Copy link
Contributor

Is it fixed or not fixed? The bug has been closed&reopened

@naxonez
Copy link
Author

naxonez commented Dec 28, 2015

I think that is not fixed yet.

2015-12-28 16:57 GMT+01:00 Marcos García notifications@github.com:

Is it fixed or not fixed? The bug has been closed&reopened


Reply to this email directly or view it on GitHub
#2857 (comment).

@rdoursenaud rdoursenaud added the Volunteer wanted (reserved tag) External developers are welcome to work on this. label Jan 8, 2016
@rdoursenaud
Copy link
Member

@marcosgdf Some has been fixed (The specifically reported ones). But vulnerable code is still all over the place. This is a profound issue with Dolibarr's project coding practices (Very low level, very light abstraction model, so everything needs to be escaped manually and is almost always forgotten). Quite a lot of work is still to be done. Check the commit I did to fix the original issue to have a glimpse at what needs to be done elsewhere and feel free to help ;)

@rdoursenaud
Copy link
Member

Upon closer inspection, my fix (for 3.5) has not made it to develop (future 3.9)!
@eldy @simnandez Aren't we supposed to merge previous branches in the newest ones on a regular basis?
Looks like 3.8 has never been merged in develop…

rdoursenaud added a commit to GPCsolutions/dolibarr that referenced this issue Jan 8, 2016
… data by default

This should mitigate most HTML injections allowing XSS.
rdoursenaud added a commit to GPCsolutions/dolibarr that referenced this issue Jan 8, 2016
… data by default

This should mitigate most HTML injections allowing XSS.
@eldy
Copy link
Member

eldy commented Jan 8, 2016

Branch were merged. However, it is possible that conflict were not correctly solved and we lost changes.
I close this bug because having it open and close nd open and close when the case reported is fixed make us lose time to understand if it is fixed or not.
If another hole is found, opening another ticket will be better describing where is the bug (url affected) so dev would be able to fix it.

@eldy eldy closed this as completed Jan 8, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug This is a bug (something does not work as expected) Security This is a bug identified as a security bug Volunteer wanted (reserved tag) External developers are welcome to work on this.
Projects
None yet
Development

No branches or pull requests

4 participants