Improper Privilege Management in dolibarr/dolibarr

Valid

Reported on

May 19th 2021

💥 BUG

unprivileged user can download project file

💥 STEP TO REPRODUCE

1. From admin account add user B as normal user .
now give user B bellow permission for project module.
---->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet)

2. Now from admin account goto https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and create a project.
Now upload a file in this project and this uploaded file url is like http://localhost/dolibarr/htdocs/document.php?modulepart=project&entity=1&file=PJ2105-0001%2FPJ2105-0001-request.har

3. Finally goto user B account and visit https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and here user B cant see above project .
now user B open file url link like http://localhost/dolibarr/htdocs/document.php?modulepart=project&entity=1&file=PJ2105-0001%2FPJ2105-0001-request.har and can download the file

💥 VIDEO

https://drive.google.com/file/d/1E0kM33YNLFKMAHKDjSlnEVYaJ6fHT8tL/view?usp=sharing

💥 Impact

privilege escalation bug

to join this conversation