User can read any series without permission in kareadita/kavita
Reported on
Sep 17th 2022
Description
A normal user can access any series without permission if they have access to at least one library.
Version
Tested on latest release 0.5.6.0 and on docker image 'kizaing/kavita:latest', with image pulled on September 17, 12:30 UTC (Digest: sha256:6e61cdadde2f80e68f1f26cdf935af5c8b3d0db6a7a5f248a4972d251d9998e9).
Details
The program uses URLs of format:
http://localhost:5000/library/<library-number>/series/<series-number>
If the user has access to library-number 1 (for example), then the user can access any series through its series-number by using URL:
http://localhost:5000/library/1/series/<series-number>
It does not matter if the referenced series is actually in the library, the software will give the user access to the series regardless.
Note that the user does need to know the series-number, but since these are always handed out sequentially starting from 1, it is not hard for a user to enumerate everything that's available on the server, and access all available series.
Video PoC
https://drive.google.com/file/d/1HlThYOsbh6YeouLrXtpg1pgY3-n3biXt/view?usp=sharing
Impact
This vulnerability is capable of letting any user who has access to at least one library gain access to all series in all libraries.
SECURITY.md exists
a year ago
This is a valid issue and has been fixed locally for v0.6.0 release.
Just updating since it's been some time, this is patched but the release is taking some extra time to wrap up. This will be marked as fixed once the release is published.