Description

With default settings, low-level users will not have permission to read name of private shelf (shelf create by another user and not in public mode). However, due to incorrect HTML render, the application does not work as intended.

Proof of Concept

• Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create new user “test2” with default permissions (only “Show *” permissions).
• Step 2: Using admin account and create private shelf. Get id of this shelf.
• Step 3: Login as test1 and go to http://hostname:8083/shelf/order/:id. Attacker will get name of private shelf. id for this attack can get via brute-force.
• PoC: https://drive.google.com/file/d/10tbKwfXlNXMgPEa0i4pPZ1-wW2ovUpsM

Root-cause

In line 380 (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L380), server will check view permission of user and query book for shelf. However, if user doesn’t have view permission, server continues to render HTML containing shelf.name instead of showing error messages and redirect. This leads to disclose name of private shelf.

Impact

Low-level user can read name of all private shelves.