Use of Cache Containing Sensitive Information in bookstackapp/bookstack

Valid

Reported on

Oct 8th 2021


Description

Bookstack does not use secure Cache-Control headers.

Proof of Concept

1: Login to application
2: View a shelf
3: Logout
4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf.

Impact

This issue is capable of storing sensitive page data in the Browser, leading to situations where a physical attacker can press the Browser back button to reveal information.

Recommended Fix

Add the Cache-Control header containing 'no-store' and 'no-cache' directives.

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a year ago
haxatron modified the report
a year ago
Dan Brown validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown marked this as fixed with commit 41ac69 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Dan Brown
a year ago

Thanks for reporting @haxatron. All now patched.

Note, the provided reference was mainly around the subject of caching at a proxy-level. I think this specific vulnerability vector was already avoided by a few existing default cache-control rules. Your core impact and PoC was apparent though so that's what I have patched.

Note, I am working on your other report. I'll just need a little more time due to the higher severity of that one, to ensure the patch is released alongside security notifications to users.

to join this conversation