Beta Security Release v0.30.4

Dan Brown posted on the 31st of October 2020

XSS and user-injected auto-redirect vulnerabilities have been found within the page content & attachment components of BookStack which BookStack v0.30.4 looks to address. These are primarily a concern if untrusted users can edit content on your BookStack instance.

Impact

A user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted.
A user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page.
A user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page.

Patches

The issues were addressed in BookStack v0.30.4.

Dangerous content may remain in the database. The in-page vulnerabilities will be removed before being displayed on a page but dangerous attachment content will remain if exploited. If you think this could have been exploited you can search for potential cases with the following SQL commands:

1
2
3
4
5
6
7
8


# XSS within page content:
select * from pages where html like '%javascript:%';

# Auto-redirect within page content:
select * from pages where html like '%<meta%';

# XSS in page link attachments:
select a.name as attachment_name, p.name as page_name, p.id as page_id from attachments a left join pages p on (a.uploaded_to=p.id) where a.path like '%javascript:%';

Workarounds

Page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability.

References

Attribution

Thanks to @PercussiveElbow for the discovery, reporting, patching and testing of the page-content vulnerabilities.
Thanks to Yassine ABOUKIR (https://twitter.com/yassineaboukir/) for the discovery and reporting of the page attachment vulnerability.

More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack Security Advice to contact someone privately.

Header Image Credits: Photo by marcos mayer on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts