Improper Access Control in janeczku/calibre-web

Valid

Reported on

Jul 21st 2021


✍️ Description

A user can edit the title of another user's shelf.

🕵️‍♂️ Proof of Concept

The function edit_shelf calls directly to create_edit_shelf() sending the queried shelf by the id from the path withouth checking if that shelf is theirs.

// shelf.py
@shelf.route("/shelf/edit/<int:shelf_id>", methods=["GET", "POST"])
@login_required
def edit_shelf(shelf_id):
    shelf = ub.session.query(ub.Shelf).filter(ub.Shelf.id == shelf_id).first() # here the shelf is found
    return create_edit_shelf(shelf, title=_(u"Edit a shelf"), page="shelfedit", shelf_id=shelf_id) # here the shelf is directly edited. In this method is checked properly neither.

Poc:

  1. Login as user "test".
  2. Select the shelf whose id=2. (/shelf/2).
  3. Edit properties. Change the title and save.
  4. Intercept the request POST /shelf/edit/2 and change the id from the path for 1. This id corrresponds to user "test2" 's shelf. See image
  5. Send the request.
  6. Access as user "test2".
  7. See the name of the shelf, now you can see the changed impacted: "shelf test 2 edited by usertest1". See image

💥 Impact

Integrity. Manipulation. A user can see edits he has never done.

✍️ Recommendation

Add a validation that checks if the user is owner of the shelf which he is editing, before saving or even better, before calling the method that edits the shelf.

Occurences

References

4 months ago
Jamie Slome
4 months ago

Admin


I have now granted the maintainer access to the page.

Ozzie Isaacs validated this vulnerability 4 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs confirmed that a fix has been merged on c7b057 4 months ago
Ileana Barrionuevo has been awarded the fix bounty
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 4 months ago