Insufficient Session Expiration in janeczku/calibre-web

Valid

Reported on

Jul 21st 2021


✍️ Description

The app does not expire the user's session after the logout. It is possible to continue using the session even when the user has logged out.

🕵️‍♂️ Proof of Concept

1. Login as a user at /login.
2. Select logout, intercepting and copying the user's cookie.
3. After this logout, send a new request to /me with the copied cookies.
4. See that is still possible to get information from the site.

The method logout_user() at line 1575 from the file web.py does not expire the session properly.

💥 Impact

This could allow potential unwanted actions. If the account is compromised in some way (e.g, someone stole the cookies, accessed the browser, etc), a malicious actor could do actions in name of the user even when he has been logged out.

Jamie Slome
4 months ago

Admin


I have now granted the maintainer access to the page.

Ozzie Isaacs
4 months ago

Seems to be a known problem from flask-login https://github.com/maxcountryman/flask-login/issues/480

Ozzie Isaacs validated this vulnerability 4 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 4 months ago
Ozzie Isaacs
2 months ago

@admin: Looks I lost the email where I can report the problem fixed. (Commit for fix was this one: https://github.com/janeczku/calibre-web/commit/a63baa175871b416a7f0baeea86f5bdc9bc440a0). Would be great if you could handle this somehow

Jamie Slome confirmed that a fix has been merged on a63baa 2 months ago
The fix bounty has been dropped
Jamie Slome
2 months ago

Admin


Sorted! 🎊