sobota, 20 października 2018

Stored XSS in Dolibarr 8.0.2

Last time I found few XSS bugs in Dolibarr ERP/CRM (version 8.0.2) available at Bitnami. Maybe you will find it useful...

...don't worry. Most of them are located in admin-part-of-webapp but there is one more little bug that can be used during your pentest.

So you (as an admin) can create 'new user'. Go to the Dashboard->Users & Groups to do that:

Thing is when you will create that 'newuser' ("no Admin" of course) there will be an error message:

So ok. User is created, I tried to use new account and switched to 'tester2':

"Access denied." Great but as you can see there is a link to 'Tools' as well where we can find Email templates:

On the link we will find a nice form unfortunately vulnerable to XSS:

Let's try:

Click 'Add' to see something like:

Let's try to add something else:


To make it more 'persistent' we need to add more content to fields available in our 'email template':

And we should see:

Now when you will switch again to the admin account, go to the Tools->Email templates, and see that the code added by user 'without any permissions' set ("access denied") - even if he/she can login - admin is still exposed to XSS-attacks:

 * default 'Admin user name' for Bitnami's VMs is (in 90% cases;) ) is 'user'.

Case for you - to use Burp (ex: 'Battering Attack') to check if there is possibility to inject some other tags than 'marquee' ... ;)


Few other places vulnerable (this time only for admin panel) are described below:

# Max number of lines for widgets:

To grab the name of the param I used DeveloperTools available in Firefox:

Now we can try to find that param name in the source:

Let's read ./admin/boxes.php to check lines mentionedby grep:

Ok I see some potential here ;) We will use that "pattern" later:

dolibarr_set_const($db, "MAIN...", $_POST["MAIN..."],'',0,'',$conf->entity);

Let's go directly to the line 51:

And here we are - line 471:

It's just an example... "Reason" I think so ;)

I decided to save the output to /tmp/set_const.txt to read it later. Trying very first file - limits.php


Ok, let's 'modify' some values (goto 'Limits' section and click 'Modify'):

Using the same (marquee)payload we tried before.. Checking:

Maybe later I'll find something else.


Brak komentarzy:

Prześlij komentarz