External Control of File Name or Path in bookstackapp/bookstack
Oct 9th 2021
The dompdf chroot option in Bookstack App is set to base_path, which is the Laravel root folder (/var/www/bookstack). An attacker can hence load any image file in the Laravel folder (/var/www/bookstack) or its subdirectories via PDF exports.
Proof of Concept
1: Place an image file in /var/www/bookstack/cat.jpg 2: Use the payload <p id="bkmrk-"><img src="file:///var/www/bookstack/cat.jpg" /></p> 3: Export via PDF
Attackers with edit rights can load any image file in the Laravel root folder. While I may not exactly know what an image file (or a subdirectory of them) would be doing in the Laravel root folder, I thought that I should just report this to you just in case you care about it.
Additionally, the patch fix would be to change base_path() to public_path() so that DomPDF can only load images from the public/ subdirectory. (I have linked my patch fix in huntr.dev)
Thanks again @haxatron!
As you alluded to, would have to be quite a specific attack. Could possibly be used to get image attachments but, since we auto-generate their names, would be very unlikely to be useful. Either way, better to not have the possibility for this one. Thanks for the fix!