External Control of File Name or Path in bookstackapp/bookstack

Valid

Reported on

Oct 9th 2021


Description

The dompdf chroot option in Bookstack App is set to base_path, which is the Laravel root folder (/var/www/bookstack). An attacker can hence load any image file in the Laravel folder (/var/www/bookstack) or its subdirectories via PDF exports.

Proof of Concept

1: Place an image file in /var/www/bookstack/cat.jpg
2: Use the payload <p id="bkmrk-"><img src="file:///var/www/bookstack/cat.jpg" /></p>
3: Export via PDF

Impact

Attackers with edit rights can load any image file in the Laravel root folder. While I may not exactly know what an image file (or a subdirectory of them) would be doing in the Laravel root folder, I thought that I should just report this to you just in case you care about it.

Additionally, the patch fix would be to change base_path() to public_path() so that DomPDF can only load images from the public/ subdirectory. (I have linked my patch fix in huntr.dev)

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 2 months ago
We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 2 months ago
haxatron modified their report
2 months ago
haxatron submitted a
2 months ago
haxatron modified their report
2 months ago
Dan Brown validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown confirmed that a fix has been merged on b04325 2 months ago
haxatron has been awarded the fix bounty
dompdf.php#L73 has been validated
Dan Brown
2 months ago

Maintainer


Thanks again @haxatron!

As you alluded to, would have to be quite a specific attack. Could possibly be used to get image attachments but, since we auto-generate their names, would be very unlikely to be useful. Either way, better to not have the possibility for this one. Thanks for the fix!