Improper Access Control in bookstackapp/bookstack
Reported on
Dec 28th 2021
Description
parentChapter permissions are not enforced during sort. Users with only book-update permissions on their own page can move their pages into restricted chapters via modifying the parentChapter id in the sortmap. Users do not need to have access to restricted books / chapter in order to perform this attack.
Proof of Concept
[{"id":"3","sort":0,"parentChapter":"5","type":"page","book":"3"}]
Attacker has update permissions on page ID 3 and book ID 3. Attacker do not have any permissions on chapter ID 5
Sending the above sortmap will cause page ID 3 to be moved to chapter ID 5 bypassing permission checks
Impact
This vulnerability is capable of users with page-update and book-update permissions on any page and book can essentially create pages on any chapter on the application.
Occurrences
Thanks once again for finding and reporting!
Will take this as an opportunity to perform a bit of an audit and refactor of the book sorting logic as it's been a while since I touched these parts.
Will aim to deploy as part of a patch release for about mid-next-week.
Just to provide an update, this has proved quite tricky due to the models and permissions involved (Since it can be taken as a update, delete and create action across multiple elements) so has taken longer than expected to implement a fix. Think I've got one together now but just need to review it. Intending to deploy tomorrow. Also found a lacking chapter-move permission while fixing this which will be part of the release.