CVE-2021-25957

Overview

In “Dolibarr” application, v3.3.beta1_20121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since the password gets overwritten for the victim user having a similar login name.

Details

The “Dolibarr” application is vulnerable to “Account Takeover Via Password Reset Functionality”. A low privileged user (Alice) can reset the password of any user in the application using the password reset link he received through email when requested for a forgotten password.

PoC Details

For demonstration purposes we will use two users: “Admin” (administrator) and “alice” (low privileged user). First, login into the application and configure the SMTP section (fill up SMTP ID, SMTP password and automatic email sender). Under Users & Groups tab, click on "alice" user, select modify and add email address. Navigate to the forgot password link from the login page. Now enter the low privileged username “alice” and click on “regenerate and send password”. Then you will see a message displaying - email sent to “alice”. “alice” received a link to reset password that contains “username” and “password” in MD5 hash. Now copy the link “http://host/user/passwordforgotten.php?action=validatenewpassword&username=alice&password=d41d8cd98f00b204e9800998ecf8427e'' and rename username from “alice” to “Admin” and send request. “Admin” can now login into the application with an empty password.

Affected Environments

2.8.1-13.0.2

Prevention

Upgrade to version 14.0.0