CVE-2021-3991
📋 TL;DR
This CVE describes an improper authorization vulnerability in Dolibarr ERP/CRM software where users with restricted permissions in the Reception section can bypass access controls by directly accessing specific reception details via URL manipulation. This affects Dolibarr installations where user permissions are configured to restrict access to reception data. The vulnerability allows unauthorized viewing of reception details that should be protected by permission checks.
💻 Affected Systems
- Dolibarr ERP/CRM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with low-privileged access could view sensitive reception data including customer information, order details, and potentially confidential business data that should be restricted to authorized personnel only.
Likely Case
Internal users with reception module access can view reception details they shouldn't have permission to see, potentially exposing customer data and order information beyond their authorized scope.
If Mitigated
With proper network segmentation and access controls, the impact is limited to unauthorized data viewing within the application by authenticated users.
🎯 Exploit Status
Exploitation requires authenticated access to the Dolibarr application with permissions to access the Reception module. Attack involves URL manipulation to access specific reception details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in 'develop' branch commit 63cd06394f39d60784d6e6a0ccf4867a71a6568f
Vendor Advisory: https://github.com/dolibarr/dolibarr/commit/63cd06394f39d60784d6e6a0ccf4867a71a6568f
Restart Required: No
Instructions:
1. Update to the latest Dolibarr version from the 'develop' branch or any version containing commit 63cd06394f39d60784d6e6a0ccf4867a71a6568f. 2. Apply the specific patch from the GitHub commit if not updating entire version. 3. Verify proper authorization checks are now enforced in the Reception module.
🔧 Temporary Workarounds
Temporary Access Restriction
allRestrict access to reception module URLs via web server configuration or application firewall rules
# Example Apache .htaccess rule to restrict access to reception paths
RewriteCond %{REQUEST_URI} ^/reception/
RewriteRule .* - [F]
Permission Review and Adjustment
allReview and tighten user permissions in Dolibarr, particularly for Reception module access
# No specific commands - perform through Dolibarr admin interface
# Navigate to Users & Groups -> Permissions and review reception module access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Dolibarr from untrusted networks
- Enforce principle of least privilege by reviewing and minimizing user access to Reception module
🔍 How to Verify
Check if Vulnerable:
Test with a low-privileged user account that has Reception module access. Attempt to access reception details via direct URL manipulation that should be restricted based on permissions.Check Version:
Check Dolibarr version in admin interface or via: grep '\$version' htdocs/includes/main.inc.phpVerify Fix Applied:
After patching, repeat the same test with low-privileged user. Attempt to access restricted reception details via URL manipulation should now be properly blocked with authorization error.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts to reception URLs
- Successful access to reception details by users not authorized for those records
- Unusual pattern of reception module access from low-privileged accounts
Network Indicators:
- Repeated requests to specific reception detail URLs with different ID parameters
- Access patterns suggesting enumeration of reception records
SIEM Query:
source="dolibarr" AND (url_path="/reception/" OR url_path CONTAINS "reception") AND (response_code=200 OR response_code=403) | stats count by user, url_path