search

Dolibarr / dolibarr

Dolibarr ERP CRM is a modern software package to manage your company or foundation's activity (contacts, suppliers, invoices, orders, stocks, agenda, accounting, ...). it's an open source Web application (written in PHP) designed for businesses of any sizes, foundations and freelancers.
https://www.dolibarr.org
GNU General Public License v3.0
5.39k stars 2.77k forks source link

Question SECURITY - Browse The Server in Mail Template #26090

Open warnerbryce opened 1 year ago

warnerbryce commented 1 year ago

Bug

I saw that @eldy made some change for security reason on $acceptlocallinktomedia in core/lib/functions2.lib.php

In order to browse the server for inserting some images into your mail template (admin/mail_templates.php) you have to : configure a "https:// " dolibarr_main_url_root having a server IP that isn't into a local range 10.X.X.X / 172.16.X.X ~172.32.X.X / 192.168.X.X and more ... Here is the code 

        // If $acceptlocallinktomedia is true, we can add link media files int email templates (we already can do this into HTML editor of an email).
        // Note that local link to a file into medias are replaced with a real link by email in CMailFile.class.php with value $urlwithroot defined like this:
        // $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
        // $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
        $acceptlocallinktomedia = getDolGlobalInt('MAIN_DISALLOW_MEDIAS_IN_EMAIL_TEMPLATES') ? 0 : 1;
        if ($acceptlocallinktomedia) {
                global $dolibarr_main_url_root;
                $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));

                // Parse $newUrl
                $newUrlArray = parse_url($urlwithouturlroot);
                $hosttocheck = $newUrlArray['host'];
                $hosttocheck = str_replace(array('[', ']'), '', $hosttocheck); // Remove brackets of IPv6

                if (function_exists('gethostbyname')) {
                        $iptocheck = gethostbyname($hosttocheck);
                } else {
                        $iptocheck = $hosttocheck;
                }

                //var_dump($iptocheck.' '.$acceptlocallinktomedia);
                if (!filter_var($iptocheck, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
                        // If ip of public url is a private network IP, we do not allow this.
                        $acceptlocallinktomedia = 1;
                        // TODO Show a warning
                }

                if (preg_match('/http:/i', $urlwithouturlroot)) {
                        // If public url is not a https, we do not allow to add medias link. It will generate security alerts when email will be sent.
                        $acceptlocallinktomedia = 0;
                        // TODO Show a warning
                }

                if (!empty($user->socid)) {
                        $acceptlocallinktomedia = 0;
                }
        }

        //return 1;
        return $acceptlocallinktomedia;
}

The problem is that i have Dolibarrs instances behind a proxy. The Proxy is here to handle traffic like redirecting URL to the good server, fail2ban etc... If i test $iptocheck on those Dolibarrs i will get a local IP like 10.0.10.16 so $acceptlocallinktomedia will always be 0 So i won't be able to add media correctly in admin/mail_templates.php and users/card.php It works on all other pages because this check isn't made.

Why is this check important on those pages ? Because if i prepare a Mail template on societe/card.php, i can insert images with "Browse The Server" then copy the source code and get in admin/mail_templates.php and paste it.

Environment Version

14~19

Environment OS

Not relevant

Environment Web server

Not relevant Apache or Nginx

Environment PHP

7.4 and 8.0

Environment Database

MariaDB

warnerbryce commented 3 weeks ago

Up someone ?