Improper Privilege Management in dolibarr/dolibarr
May 22nd 2021
unprivileged user can download file of a agenda
user dont have access to specific agenda but still can download file uploaded to this agenda .
💥 TESTED VERSION
💥 STEP TO REPRODUCE
1. First goto admin account and add user B as normal user .
Now give user B bellow permission for
Agenda module .
-->Read actions (events or tasks) linked to his user account (if owner of event or just assigned to).
So, user B can see events that he is assigned to or owner and he cant modify any .
2. Now from admin account goto
Agenda module and create a agenda .
Now upload a file to this agenda and file link look like
So, here user B should not see this agenda or this uploaded file .
3. Finally goto user B account and visit above uploaded file url
http://localhost/dolibarr-develop/htdocs/document.php?modulepart=actions&entity=1&file=2%2FSECURITbYs.md and he can download this file .