Improper Access Control in bookstackapp/bookstack

Valid

Reported on

Dec 28th 2021


Description

parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to perform this attack.

Proof of Concept

[{"id":"3","sort":0,"parentChapter":"5","type":"page","book":"3"}]

Attacker has update permissions on page ID 3 and book ID 3. Attacker do not have any permissions on chapter ID 5

Sending the above sortmap will cause page ID 3 to be moved to chapter ID 5 bypassing permission checks

Impact

This vulnerability is capable of users with page-update and book-update permissions on any page and book can essentially create pages on any chapter on the application.

We are processing your report and will contact the bookstackapp/bookstack team within 24 hours. a month ago
We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a month ago
Dan Brown
a month ago

Maintainer


Thanks once again for finding and reporting!

Will take this as an opportunity to perform a bit of an audit and refactor of the book sorting logic as it's been a while since I touched these parts.

Will aim to deploy as part of a patch release for about mid-next-week.

Dan Brown validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
haxatron
a month ago

Researcher


No problem! Have a happy new year.

Dan Brown
23 days ago

Maintainer


Just to provide an update, this has proved quite tricky due to the models and permissions involved (Since it can be taken as a update, delete and create action across multiple elements) so has taken longer than expected to implement a fix. Think I've got one together now but just need to review it. Intending to deploy tomorrow. Also found a lacking chapter-move permission while fixing this which will be part of the release.

haxatron
23 days ago

Researcher


No pressure :), access control is tough to get right

Dan Brown confirmed that a fix has been merged on cb0d67 22 days ago
Dan Brown has been awarded the fix bounty
BookContents.php#L147L168 has been validated