Improper Access Control in bookstackapp/bookstack


Reported on

Dec 28th 2021


parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to perform this attack.

Proof of Concept


Attacker has update permissions on page ID 3 and book ID 3. Attacker do not have any permissions on chapter ID 5

Sending the above sortmap will cause page ID 3 to be moved to chapter ID 5 bypassing permission checks


This vulnerability is capable of users with page-update and book-update permissions on any page and book can essentially create pages on any chapter on the application.

We are processing your report and will contact the bookstackapp/bookstack team within 24 hours. a year ago
We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a year ago
Dan Brown
a year ago


Thanks once again for finding and reporting!

Will take this as an opportunity to perform a bit of an audit and refactor of the book sorting logic as it's been a while since I touched these parts.

Will aim to deploy as part of a patch release for about mid-next-week.

Dan Brown validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


No problem! Have a happy new year.

Dan Brown
a year ago


Just to provide an update, this has proved quite tricky due to the models and permissions involved (Since it can be taken as a update, delete and create action across multiple elements) so has taken longer than expected to implement a fix. Think I've got one together now but just need to review it. Intending to deploy tomorrow. Also found a lacking chapter-move permission while fixing this which will be part of the release.

a year ago


No pressure :), access control is tough to get right

Dan Brown marked this as fixed in 21.12.1 with commit cb0d67 a year ago
Dan Brown has been awarded the fix bounty
This vulnerability will not receive a CVE
BookContents.php#L147L168 has been validated
to join this conversation