Improper Access Control in janeczku/calibre-web
Jan 24th 2022
With default settings, low-level users will not have permission to read name of private shelf (shelf create by another user and not in public mode). However, due to incorrect HTML render, the application does not work as intended.
Proof of Concept
- Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create new user "test2" with default permissions (only "Show *" permissions).
- Step 2: Using admin account and create private shelf. Get id of this shelf.
- Step 3: Login as test1 and go to http://hostname:8083/shelf/order/:id. Attacker will get name of private shelf. id for this attack can get via brute-force.
- PoC: https://drive.google.com/file/d/10tbKwfXlNXMgPEa0i4pPZ1-wW2ovUpsM
In line 380 (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L380), server will check view permission of user and query book for shelf. However, if user doesn't have view permission, server continues to render HTML containing shelf.name instead of showing error messages and redirect. This leads to disclose name of private shelf.
Low-level user can read name of all private shelves.
We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the janeczku/calibre-web team. This report is now considered stale. a year ago
to join this conversation