Generation of Error Message Containing Sensitive Information in janeczku/calibre-web
Reported on
Nov 15th 2021
Description
A user can see the name of private shelves from other users when trying to remove a book of those shelves.
Proof of Concept
The file shelf.py in its line 221 exposes the name of the shelf when the user tries to remove a book from a shelf which is not his.
log.warning("You are not allowed to remove a book from shelf: {}".format(shelf.name))
flash(_(u"Sorry you are not allowed to remove a book from this shelf: %(sname)s", sname=shelf.name),
category="error")
return redirect(url_for('web.index'))
return "Sorry you are not allowed to remove a book from this shelf: %s" % shelf.name, 403 # this is the message the user sees.
Steps to Reproduce
#1. As an admin, create a shelf. This shelf has id = 1.
#2. Add a book to that shelf. For this example, the book id = 2.
#3. Log in as another user and send the following request:
GET /shelf/remove/1/2 Image 1
#4. See the returned message: "Sorry you are not allowed to remove a book from this shelf: admin shelf"
Impact
This vulnerability discloses private information for an unauthorized user. This should not be disclosed.
Occurrences
shelf.py L126
In the method def search_to_shelf(shelf_id) of the same file, you can see the same error with the name of the shelf, at line 126 when checking permissions.
flash(_(u"You are not allowed to add a book to the the shelf: %(name)s", name=shelf.name), category="error")
shelf.py L221
The user receives a 403 errir with the name of the shelf, which he cannot see at first because it is from other user.
