Cnf409

**Name of the Vulnerable Software and Affected Versions** Dolibarr versions 22.0.4 and earlier **Description** Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. A Local File Inclusion (LFI) vulnerability exists in the core AJAX endpoint '/core/ajax/selectobject.php'. By manipulating the `objectdesc` parameter and exploiting a fail-open logic flaw in the core access control function `restrictedArea()`, an authenticated user with no specific privileges can read the contents of arbitrary non-PHP files on the server, such as `.env`, `.htaccess`, configuration backups, or logs. The vulnerability is caused by a design flaw where dynamic file inclusion occurs before access control checks, combined with a fail-open logic in the access control list (ACL) function. Specifically, the application parses the `objectdesc` parameter into a `$classpath` and, if `fetchObjectByElement` fails, falls back to `dol include once($classpath)` at line 71, including the arbitrary file before checking user permissions. The `restrictedArea()` function, at line 102, skips access checks if the `$features` parameter is empty, allowing bypass of ACLs. This allows any authenticated user to include files, and while PHP files cause a fatal error, the contents of text-based files are dumped into the HTTP response. **Recommendations** Versions prior to 22.0.5 are affected. Apply input validation and whitelisting to the `$classpath` parameter before passing it to `dol include once()`. Correct the execution flow to ensure file inclusion never occurs before user authorization is fully verified. Modify `restrictedArea()` in `core/lib/security.lib.php` to explicitly deny access (`$readok = 0`) if the `$features` parameter is empty.