提交 #818838: Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side信息

标题	Dolibarr ERP CRM 23.0.0 23.0.1 23.0.2 Trusting HTTP Permission Methods on the Server Side
描述	Dolibarr ERP/CRM fails to enforce authorization on the /user/messaging.php endpoint. An authenticated user with zero permissions — including 'Read other users' explicitly disabled — can access the full profile of any user in the system by manipulating the 'id' GET parameter in the URL. The application returns full profile data instead of a 403 Forbidden response. AFFECTED ENDPOINT GET /dolibarr/user/messaging.php?id=[USER_ID] DATA EXPOSED - Username and profile photo - Account status (active/inactive) - Full permission list and count - Account creation and last modification timestamps - Server timezone (inferable from timestamp delta) STEPS TO REPRODUCE 1. Log in with a standard non-admin account (0 permissions, Read other users = OFF) 2. Navigate to: /dolibarr/user/messaging.php?id=1 3. Observe full SuperAdmin profile returned (username, 17 permissions, timestamps) 4. Change id=4 — full profile of dr.bales returned (5 permissions) 5. Increment ID to enumerate all users in the organization IMPACT - Full internal user enumeration across the organization - Permission reconnaissance to identify high-privilege targets - Targeted spear-phishing using harvested usernames and profile photos - Privilege escalation path via SuperAdmin account targeting - Server timezone leak via timestamp delta (UTC+1) PATCH / VENDOR FIX https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2 DISCOVERED BY Aksoum Abderrahmane REFERENCES - https://owasp.org/Top10/A01_2021-Broken_Access_Control - https://cwe.mitre.org/data/definitions/639.html
来源	⚠️ https://github.com/dolibarr/dolibarr/commit/119b3606c7a701747a57a1f18b1a9e7666f678e2
用户	Abderrahmane Aksoum (UID 97571)
提交	2026-05-04 15時18分 (1 月前)
管理	2026-05-30 07時52分 (26 days later)
状态	已接受
VulDB条目	367407 [Dolibarr ERP CRM 23.0.0/23.0.1/23.0.2 messaging.php 标识符权限提升]
积分	20

◂ 上一步一览下一步 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!