Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web

Valid

Reported on

Nov 16th 2021


Description

A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment.

Proof of Concept

The file shelf.py at line 247 sets as public every shelf to be edited, so if the user injects the parameter is_public=on in the POST request, the shelf is saved as public.

if request.method == "POST":
        to_save = request.form.to_dict()
        shelf.is_public = 1 if to_save.get("is_public") else 0 --> This happens after checking permissions of the user over public shelves, so if someone injected that param, the shelf is saved as public then.

Steps to reproduce

#1. Login as a user who has no permissions for create or edit public shelves.

#2. Create a shelf. This is a private one. Image 1

#3. Edit this shelf and Save, intercepting the request POST /shelf/edit/{id_shelf}.

#4. Add a body param as follows: is_public=on and Forward. Image 2

#5. Check that the private shelf turned into a public one. Image 3

Impact

There should be checked if the user has permissions for public shelves when the body is received. Also the order of validations and the function check_shelf_edit_permissions should be reviewed to avoid these possibilites.

We are processing your report and will contact the janeczku/calibre-web team within 24 hours. 6 months ago
We have contacted a member of the janeczku/calibre-web team and are waiting to hear back 6 months ago
We have sent a follow up to the janeczku/calibre-web team. We will try again in 7 days. 6 months ago
We have sent a second follow up to the janeczku/calibre-web team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the janeczku/calibre-web team. This report is now considered stale. 6 months ago
Ozzie Isaacs
5 months ago

Sorry. I get confused by all this emails and there is no "dashboard" to track what's open and what not. Meanwhile I don't see any verify button here, so I can't do anything. @admin : Sorry Jamie, could you please mark this report as valid.

janeczku validated this vulnerability 5 months ago
Ileana Barrionuevo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ozzie Isaacs
4 months ago

@admin I can't mark this issue as fixed This is fixed in the newest version 0.6.15. Commit to fix this was: https://github.com/janeczku/calibre-web/commit/6deb5277692dca38873db334d0cdc7d44bad0703

janeczku confirmed that a fix has been merged on bcdc97 4 months ago
The fix bounty has been dropped
janeczku
4 months ago

Maintainer


@admin Okay got it, it works if I'm not logged in and then use the link with the token I get in the email

Jamie Slome
4 months ago

Admin


Correct 👍

to join this conversation