Use of Cache Containing Sensitive Information in bookstackapp/bookstack

Valid

Reported on

Oct 8th 2021

Description

Bookstack does not use secure Cache-Control headers.

Proof of Concept

1: Login to application
2: View a shelf
3: Logout
4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf.

Impact

This issue is capable of storing sensitive page data in the Browser, leading to situations where a physical attacker can press the Browser back button to reveal information.

Recommended Fix

Add the Cache-Control header containing 'no-store' and 'no-cache' directives.

References

https://isc.sans.edu/forums/diary/The+Security+Impact+of+HTTP+Caching+Headers/17033/

We have contacted a member of the bookstackapp/bookstack team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

Dan Brown validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Dan Brown marked this as fixed with commit 41ac69 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Dan Brown

commented 2 years ago

Maintainer

Thanks for reporting @haxatron. All now patched.

Note, the provided reference was mainly around the subject of caching at a proxy-level. I think this specific vulnerability vector was already avoided by a few existing default cache-control rules. Your core impact and PoC was apparent though so that's what I have patched.

Note, I am working on your other report. I'll just need a little more time due to the higher severity of that one, to ensure the patch is released alongside security notifications to users.

to join this conversation