Overview
In “Dolibarr” application, v2.8.1 to v13.0.4 don’t restrict or incorrectly restricts access to a resource from an unauthorized actor. A low privileged attacker can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint.
Details
The “Dolibarr ERP CRM” does not restrict or incorrectly restricts access to a resource from an unauthorized actor, as a low privileged application user can modify the Private Note which only an administrator has rights to do, the affected field is at “/adherents/note.php?id=1” endpoint
PoC Details
For demonstration purposes we will use two users: “member1” (permissions to “Read members” and “Create/modify members”) and “admin” (administrator). Login to the application as member1. Go to My Dashboard option on the left pane and select member1 from the “Latest 5 members” section. Go to the Note option from the navigation bar and edit the public note and capture the request with a web proxy (example: burp suite). Then modify the request captured above by converting public to private as shown in the below image and forward the request. Then login with “admin” user and go to the same endpoint and will find that a private note has been created.
Affected Environments
2.8.1-13.0.4
Prevention
Upgrade to 14.0.0