Unauthenticated book download and view details in kareadita/kavita

Valid

Reported on

Aug 7th 2022


Description

A unauthenticated user can download, view the details and resources, and retrieve individual pages of any book in the system without any kind of authorization or authentication verification.

Unauthenticated book operations list:

1 - Download any book via the /api/reader/pdf endpoint.
2 - Get information of any book via the /api/book/<book-id>/book-info endpoint.
3 - Get all the resources of any book via the /api/book/<book-id>/book-resources endpoint .
4 - Get all the chapters of any book via the /api/book/<book-id>/chapters enpoint.
5 - Get individual pages of any book via the /api/book/<book-id>/book-page?page=<page> endpoint.
6 - Get page image of any book via the /api/reader/image?chapterId=<book-id> endpoint

Proof of Concept

Download book:

  1. 1 - Send the following request, where the <chapterID> is the id of the target book.
GET /api/reader/pdf?chapterId=<chapterID>
HOST localhost:5000
  1. 2 - The book is downloaded with success.

Impact

A unauthenticated user can download every book in the application and retrieve related book information, without the permissions required to do so.

We are processing your report and will contact the kareadita/kavita team within 24 hours. 2 months ago
We have contacted a member of the kareadita/kavita team and are waiting to hear back 2 months ago
Joseph Milazzo validated this vulnerability 2 months ago

Fixed locally

vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joseph Milazzo confirmed that a fix has been merged on 9c31f7 2 months ago
Joseph Milazzo has been awarded the fix bounty
to join this conversation