Path Traversal in bookstackapp/bookstack

Valid

Reported on

Oct 7th 2021


Description

A path traversal vulnerability in BookStacks export function allows for the exposure of sensitive files in local or local_secure Laravel filesystems.

Proof of Concept

1: Write the following in a new page:

<p id="bkmrk-"><img src="http://[BOOKSTACK_URL]/uploads/images/../../.htaccess" alt="cat.jpg" /></p>

2: Export in contained HTML to find the .htaccess file base64 encoded

3: If the STORAGE_IMAGE_TYPE in .env is set to local_secure, then it is possible to obtain the Laravel log file via the following payload:

<p id="bkmrk-"><img src="http://10.0.2.15/uploads/images/../../logs/laravel.log" alt="cat.jpg" /></p>

Impact

This vulnerability is capable of exposure of sensitive log/configuration files present in the Laravel filesystems.

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 19 days ago
We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 19 days ago
Dan Brown
18 days ago

As mentioned on the other issue, Patch is in progress for this one but need to prepare to push the fix alongside a release and security announcement.

@admin If I mark this as valid, What is the scope of visibility for this report? I'd like to mark this as valid now but wouldn't really want this to become visible to anyone else outside of the original reporter, the main huntr team and myself.

haxatron
18 days ago

Researcher


Hi there, thanks for reviewing my reports! So far, only the CWE of the report and the application will be listed on my profile but not the report itself. The whole report will only be disclosed after a fix is submitted. If you would like, @admin can confirm this statement.

Jamie Slome
18 days ago

Admin


The report remains private until the fix is confirmed.

Dan Brown
18 days ago

Thanks both! Will therefore mark this one valid now and will look to confirm the patch in the next day or so.

Dan Brown validated this vulnerability 18 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dan Brown confirmed that a fix has been merged on 7224fb 18 days ago
Dan Brown has been awarded the fix bounty
ImageService.php#L414L442 has been validated