External Control of File Name or Path in bookstackapp/bookstack

Valid

Reported on

Oct 9th 2021

Description

The dompdf chroot option in Bookstack App is set to base_path, which is the Laravel root folder (/var/www/bookstack). An attacker can hence load any image file in the Laravel folder (/var/www/bookstack) or its subdirectories via PDF exports.

Proof of Concept

1: Place an image file in /var/www/bookstack/cat.jpg
2: Use the payload <p id="bkmrk-"><img src="file:///var/www/bookstack/cat.jpg" /></p>
3: Export via PDF

Impact

Attackers with edit rights can load any image file in the Laravel root folder. While I may not exactly know what an image file (or a subdirectory of them) would be doing in the Laravel root folder, I thought that I should just report this to you just in case you care about it.

Additionally, the patch fix would be to change base_path() to public_path() so that DomPDF can only load images from the public/ subdirectory. (I have linked my patch fix in huntr.dev)

Occurrences

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a year ago
haxatron modified the report
a year ago
haxatron submitted a
patch
a year ago
haxatron modified the report
a year ago
Dan Brown validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown marked this as fixed with commit b04325 a year ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
dompdf.php#L73 has been validated
Dan Brown
a year ago

Maintainer

Thanks again @haxatron!

As you alluded to, would have to be quite a specific attack. Could possibly be used to get image attachments but, since we auto-generate their names, would be very unlikely to be useful. Either way, better to not have the possibility for this one. Thanks for the fix!

to join this conversation