Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web
Reported on
Nov 16th 2021
Description
A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment.
Proof of Concept
The file shelf.py at line 247 sets as public every shelf to be edited, so if the user injects the parameter is_public=on in the POST request, the shelf is saved as public.
if request.method == "POST":
to_save = request.form.to_dict()
shelf.is_public = 1 if to_save.get("is_public") else 0 --> This happens after checking permissions of the user over public shelves, so if someone injected that param, the shelf is saved as public then.
Steps to reproduce
#1. Login as a user who has no permissions for create or edit public shelves.
#2. Create a shelf. This is a private one. Image 1
#3. Edit this shelf and Save, intercepting the request POST /shelf/edit/{id_shelf}.
#4. Add a body param as follows: is_public=on and Forward. Image 2
#5. Check that the private shelf turned into a public one. Image 3
Impact
There should be checked if the user has permissions for public shelves when the body is received. Also the order of validations and the function check_shelf_edit_permissions should be reviewed to avoid these possibilites.
Sorry. I get confused by all this emails and there is no "dashboard" to track what's open and what not. Meanwhile I don't see any verify button here, so I can't do anything. @admin : Sorry Jamie, could you please mark this report as valid.
@admin I can't mark this issue as fixed This is fixed in the newest version 0.6.15. Commit to fix this was: https://github.com/janeczku/calibre-web/commit/6deb5277692dca38873db334d0cdc7d44bad0703
@admin Okay got it, it works if I'm not logged in and then use the link with the token I get in the email
