Improper Privilege Management in dolibarr/dolibarr


Reported on

May 19th 2021


unprivileged user can download project file


1. From admin account add user B as normal user .
now give user B bellow permission for project module.
---->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet)

2. Now from admin account goto https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and create a project.
Now upload a file in this project and this uploaded file url is like http://localhost/dolibarr/htdocs/document.php?modulepart=project&entity=1&file=PJ2105-0001%2FPJ2105-0001-request.har

3. Finally goto user B account and visit https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and here user B cant see above project .
now user B open file url link like http://localhost/dolibarr/htdocs/document.php?modulepart=project&entity=1&file=PJ2105-0001%2FPJ2105-0001-request.har and can download the file


💥 Impact

privilege escalation bug

to join this conversation