Server-Side Request Forgery (SSRF) in bookstackapp/bookstack
Reported on
Aug 13th 2021
✍️ Description
User with "Editor" rights can create a special book page containing <img> tag with "src" property pointing to any external or internal resource. Exporting this page using default domPdf will result in firing request from server side.
🕵️♂️ Proof of Concept
Updating page with malicious payload in html parameter
POST /books/<BOOK>/page/<PAGE> HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:91.0) Gecko/20100101 Firefox/91.0
Content-Type: application/x-www-form-urlencoded
Cookie: <COOKIE>
_token=<CSRF-TOKEN>&_method=PUT&summary=&name=123&html=<img src="http://127.0.0.1:7654/test.jpg">&tags%5B0%5D%5Bname%5D=&tags%5B0%5D%5Bvalue%5D=&tags%5Brandrowid%5D%5Bname%5D=&tags%5Brandrowid%5D%5Bvalue%5D=&attachment_link_uploaded_to=1&attachment_link_name=&attachment_link_url=&template=false
Exporting page to pdf
http://<HOST>/books/<BOOK>/page/<PAGE>/export/pdf
💥 Impact
An attacker can use this vulnerability to exploit other resources in internal perimeter
Occurrences
Hey @d3adog, I've just contacted the repo's maintainers for you. Good job!
Thanks for reporting @d3adog, and thanks for contacting @zidingz,
I have had this mentioned previously by a security researcher but they considered it to be a relatively minor issue since the SSRF will be blind & image/CSS based only. Am I correct that is still the case here? Or are there more significant potential affects?
This component making image requests is expected and I'd imagine is likely utilised for the functionality in use here. Maybe we could provide some security advise around this and the option to disable external fetching?
Good day, sorry for late answer. Yes ideed it is blind SSRF, but due to lack of pdf generator filtering it is possible to query any URL on any port with URL paramters regarding if it is image or not. It is required for external attacker to have significant amount of luck to find vulnerable service inside the infrastrucutre or have additional information about internal target. Due to high exploitation difficulty I consider this vulnerabilty to be of medium severity. Regarding the mitigation consider strip out the src option from tags or limiting it only to expternal resource (as I saw it during my fast recon with my installation of bookstack, there is no option to upload image using link, so this kind of fix will probably not affect user experience. Correct me if I'm wrong) Thank you, d3addog
Thanks @d3addog for following up.
I can confirm this issue. I'll mark this as valid but I'm not sure how this platform works, I don't want to accidentally make this public until I have a patch together. It's not clear if this will be public after marking as valid or what the overall process is here.
I've got a plan to patch this in for the next release, which hopefully should be in the next couple of days. I'll be disabling any external server-side fetching by default within the export system.
