icon

We found results for “

CVE-2021-25957

Date: August 17, 2021

Overview

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Details

The “Dolibarr” application is vulnerable to “Account Takeover Via Password Reset Functionality”. A low privileged user (Alice) can reset the password of any user in the application using the password reset link he received through email when requested for a forgotten password.

PoC Details

For demonstration purposes we will use two users: “Admin” (administrator) and “alice” (low privileged user). First, login into the application and configure the SMTP section (fill up SMTP ID, SMTP password and automatic email sender). Under Users & Groups tab, click on "alice" user, select modify and add email address. Navigate to the forgot password link from the login page. Now enter the low privileged username “alice” and click on “regenerate and send password”. Then you will see a message displaying - email sent to “alice”. “alice” received a link to reset password that contains “username” and “password” in MD5 hash. Now copy the link “http://host/user/passwordforgotten.php?action=validatenewpassword&username=alice&password=d41d8cd98f00b204e9800998ecf8427e'' and rename username from “alice” to “Admin” and send request. “Admin” can now login into the application with an empty password.

Affected Environments

2.8.1-13.0.2

Prevention

Upgrade to version 14.0.0

Language: PHP

Good to know:

icon

Weak Password Recovery Mechanism for Forgotten Password

CWE-640
icon

Upgrade Version

Upgrade to version dolibarr/dolibarr - 14.0.0

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: