Improper Privilege Management in dolibarr/dolibarr

Valid

Reported on

May 19th 2021


💥 BUG

unprivileged user can see all details of a product

💥 STEP TO REPRODUCE

1. From admin account add user B as normal user .
Now dont give any permission for Product module for user B .
So, user B should not see any product details .

2. Now from admin create a product .

3. Finally goto user B account and visit http://localhost/dolibarr/htdocs/product/note.php?id=1 to see product details .
\

💥 VIDEO

https://drive.google.com/file/d/1eWbN2wfsyCmPRaAhEVQcSHsuugNcF_nC/view?usp=sharing

💥 Impact

privilege escalation

Laurent
6 months ago

This occurs when user has permission to read services and not permission to read product. A lack of test make the user able to read a product of type "product" only when having permission to read "service".