Dolibarr ERP & CRM Cross-Site Request Forgery Vulnerability Allowing Privilege Escalation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Dolibarr ERP & CRM version 22.0.9, allowing remote attackers to escalate privileges. The vulnerability arises from administrator permission changes being executed via HTTP GET requests, with the anti-CSRF token exposed in the URL. Low-privileged users can inject HTML into notes or fields, and when an administrator clicks on the injected content, the attacker gains admin rights.

Impact

Exploitation of this vulnerability leads to unauthorized privilege escalation, allowing a low-privileged user to gain administrative rights on the application.

Reproduction

To reproduce this vulnerability, a low-privileged user can inject a link into a notes field. Once the content is saved, an administrator must be persuaded to click the injected link. This can be done by exploiting the fact that permission changes are handled via GET requests, which includes the CSRF token in the query string. When the admin clicks the link, the permission change is executed, and the attacker gains admin rights.

Remediation

It is recommended to convert all permission-changing actions to POST requests, remove CSRF tokens from URLs by storing them in the POST body, and add a confirmation dialog for admin permission changes. Additionally, the 'Referrer-Policy' should be set to 'strict-origin' and further validation should be implemented for HTML rendering contexts.