Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web

Valid

Reported on

Jul 23rd 2021


✍️ Description

The attribute name is not properly restricted so a user can change his username even when the view does not allow to change it.

🕵️‍♂️ Proof of Concept

//The method change_profile() saves also de name if it is present in the request. It does not check if the user has the permission to change it.
 current_user.name = check_username(to_save["name"])
  1. Go to user profile.
  2. Change the email address or any data.
  3. Intercept the request POST /me
  4. In the request body, add the values name=name+changed! to the other attributes. Image
  5. Send the request.
  6. See that the change has been made. Image

💥 Impact

This vulnerability is capable of allow a non authorized change the username.

Occurences

We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 4 months ago
Ozzie Isaacs validated this vulnerability 4 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs confirmed that a fix has been merged on 3c8bfc 4 months ago
The fix bounty has been dropped