Improper Access Control in janeczku/calibre-web
Nov 15th 2021
Although a user has no permissions about public shelves, he can create them.
Proof of Concept
create_shelf at shelf.py does not check if the user has public shelf permissions for create it.
def create_shelf(): shelf = ub.Shelf() return create_edit_shelf(shelf, page_title=_(u"Create a Shelf"), page="shelfcreate") # directly creates the shelf without checking.
Steps to Reproduce
#1. As an admin, access to the admin panel to see the users list. One of them, called Ile, has no permissions about public shelves (indicated with a X).
#2. As user "ile", login and go to Create shelf option. Observe this user cannot select the box for "Share with public".
#3. Save the shelf with its name and intercepts the request.
#4. Add a parameter as follows:
is_public=on Image 1
#5. Send the request and load the page both from admin and user "ile". See that a public shelf was created by this user. Image 2
The user does non-authorized actions.