Beta Security Releases v0.25.[3,4,5] & Our Security Process

Dan Brown posted on the 24th of March 2019

Over the last week some security issues have been raised regarding file uploads. BookStack v0.25.3, v0.25.4 & v0.25.5 have been released to cover these issues, in addition to bringing some translation updates.

Update instructions
GitHub release pages:
- v0.25.3
- v0.25.4
- v0.25.5

Security Issues Found

First of all, A massive thanks to @inc0x0 for raising these security issues and providing guidance.

It was found that BookStack could possibly accept PHP files via the image upload endpoint which could then be called externally to perform malicious activity. This is particularly an issue in environments where untrusted users have the necessary permissions to upload images. BookStack v0.25.3 was released to directly cover this scenario.

In the same manner as above it was found that PHP files, with a non-standard PHP extensions such as .phtml, could be uploaded and then executed on some web-servers. BookStack v0.25.4 added a file-extension whitelist to only allow expected image file types to be uploaded to BookStack.

Although not so common, Some web-servers can utilise files with double extensions, such as .php.en. BookStack v0.25.5 was released to prevent images with multiple extensions from being uploaded. In addition, v0.25.5 will also use random file names for attachment files for extra security.

Please consider that malicious exploitation of this vulnerability may have allowed access to other files on your server that the PHP process has access to, Including your BookStack .env file, so consider updating any passwords or keys if you think this had a possibility of being exploited on your instance. The vulnerable image upload endpoints would require a user to log-in by default but if your instance contained untrusted users or if permissions were changed to allow uploads by any visitors then please consider that this may have been exploited.

Security Process Updates

When enacting upon the above security issues I noticed that the processes for security concerns could be improved. Details of how to report a sensitive security issue can now be found in the project readme.

For the purpose of notifying admins on security issues, A new mailing list has been created which you can subscribe to here.

Translations

BookStack v0.25.5 includes the following translation updates:

Added Czech translations. Thanks to @cima. (#1347)
Updated russian translations . Thanks to @agvol. (#1348)
Updated ‘Spanish Argentina’ translations. Thanks to @leomartinez. (#1327)

Full List of Changes

These releases contain the following fixes and changes:

Added Czech translations. Thanks to @cima. (#1347)
Updated russian translations . Thanks to @agvol. (#1348)
Updated ‘Spanish Argentina’ translations. Thanks to @leomartinez. (#1327)
Added prevention for PHP files via the image upload endpoint.
Added whitelist for the extensions on uploaded image files to prevent other, malicious, filetypes being uploaded.
Prevented image files with multiple extensions being uploaded via the image upload endpoint.
Updated attachment storage to use random file names to help prevent attacks via file name.

Header Image Credits: Rubén Bagüés

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts