Improperly Controlled Modification of Dynamically-Determined Object Attributes in janeczku/calibre-web
Nov 16th 2021
A user with no permissions about public shelves can edit his own private shelf making it public. This vulnerability is called Mass Assignment.
Proof of Concept
shelf.py at line 247 sets as public every shelf to be edited, so if the user injects the parameter
is_public=on in the POST request, the shelf is saved as public.
if request.method == "POST": to_save = request.form.to_dict() shelf.is_public = 1 if to_save.get("is_public") else 0 --> This happens after checking permissions of the user over public shelves, so if someone injected that param, the shelf is saved as public then.
Steps to reproduce
#1. Login as a user who has no permissions for create or edit public shelves.
#2. Create a shelf. This is a private one. Image 1
#3. Edit this shelf and Save, intercepting the request
#4. Add a body param as follows:
is_public=on and Forward. Image 2
#5. Check that the private shelf turned into a public one. Image 3
There should be checked if the user has permissions for public shelves when the body is received. Also the order of validations and the function
check_shelf_edit_permissions should be reviewed to avoid these possibilites.