Use of Cache Containing Sensitive Information in bookstackapp/bookstack

Valid

Reported on

Oct 8th 2021


Description

Bookstack does not use secure Cache-Control headers.

Proof of Concept

1: Login to application
2: View a shelf
3: Logout
4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf.

Impact

This issue is capable of storing sensitive page data in the Browser, leading to situations where a physical attacker can press the Browser back button to reveal information.

Recommended Fix

Add the Cache-Control header containing 'no-store' and 'no-cache' directives.

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 19 days ago
We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 19 days ago
haxatron modified their report
19 days ago
Dan Brown validated this vulnerability 18 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown confirmed that a fix has been merged on 41ac69 18 days ago
The fix bounty has been dropped
Dan Brown
18 days ago

Thanks for reporting @haxatron. All now patched.

Note, the provided reference was mainly around the subject of caching at a proxy-level. I think this specific vulnerability vector was already avoided by a few existing default cache-control rules. Your core impact and PoC was apparent though so that's what I have patched.

Note, I am working on your other report. I'll just need a little more time due to the higher severity of that one, to ensure the patch is released alongside security notifications to users.