Generation of Error Message Containing Sensitive Information in janeczku/calibre-web

Valid

Reported on

Nov 15th 2021


Description

A user can see the name of private shelves from other users when trying to remove a book of those shelves.

Proof of Concept

The file shelf.py in its line 221 exposes the name of the shelf when the user tries to remove a book from a shelf which is not his.

         log.warning("You are not allowed to remove a book from shelf: {}".format(shelf.name))
            flash(_(u"Sorry you are not allowed to remove a book from this shelf: %(sname)s", sname=shelf.name),
                  category="error")
            return redirect(url_for('web.index'))
        return "Sorry you are not allowed to remove a book from this shelf: %s" % shelf.name, 403 # this is the message the user sees.

Steps to Reproduce

#1. As an admin, create a shelf. This shelf has id = 1.

#2. Add a book to that shelf. For this example, the book id = 2.

#3. Log in as another user and send the following request: GET /shelf/remove/1/2 Image 1

#4. See the returned message: "Sorry you are not allowed to remove a book from this shelf: admin shelf"

Impact

This vulnerability discloses private information for an unauthorized user. This should not be disclosed.

Occurences

In the method def search_to_shelf(shelf_id) of the same file, you can see the same error with the name of the shelf, at line 126 when checking permissions. flash(_(u"You are not allowed to add a book to the the shelf: %(name)s", name=shelf.name), category="error")

The user receives a 403 errir with the name of the shelf, which he cannot see at first because it is from other user.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 19 days ago
Ileana Barrionuevo modified their report
19 days ago
19 days ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 18 days ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 15 days ago
janeczku validated this vulnerability 14 days ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
janeczku confirmed that a fix has been merged on 6f5390 14 days ago
The fix bounty has been dropped
shelf.py#L221 has been validated
shelf.py#L126 has been validated