External Control of File Name or Path in bookstackapp/bookstackValid
Oct 9th 2021
The dompdf chroot option in Bookstack App is set to base_path, which is the Laravel root folder (/var/www/bookstack). An attacker can hence load any image file in the Laravel folder (/var/www/bookstack) or its subdirectories via PDF exports.
Proof of Concept
1: Place an image file in /var/www/bookstack/cat.jpg 2: Use the payload <p id="bkmrk-"><img src="file:///var/www/bookstack/cat.jpg" /></p> 3: Export via PDF
Attackers with edit rights can load any image file in the Laravel root folder. While I may not exactly know what an image file (or a subdirectory of them) would be doing in the Laravel root folder, I thought that I should just report this to you just in case you care about it.
Additionally, the patch fix would be to change base_path() to public_path() so that DomPDF can only load images from the public/ subdirectory. (I have linked my patch fix in huntr.dev)