Beta Security Release v0.30.5

Dan Brown posted on the 6th of December 2020

Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability.

Impact

A user with permissions to edit a page could set certain image URL’s within a page to manipulate functionality in the exporting system, which would allow them to make server side requests and/or have access to a wider scope of files within the BookStack file storage locations. This is primarily a concern if untrusted users are able to edit pages in your instance.
A malicious attacker could craft a password reset request with an alternate host address, resulting in a password reset email being sent to someone with an alternate destination. This could be used for phishing attempts with a sight to gain further access if successful. This is a primarily a concern on hosts where requests to unexpected domain names could reach your BookStack instance.

Patches

Within v0.30.5 the above server-side request forgery vulnerability will no longer exist since that specific functionality was removed. Within v0.30.5 the default state and wording within the provided .env.example file was updated to encorage filling of the APP_URL parameter (See below).

Workarounds

To help prevent the potential phishing vulnerability, please ensure you have set the APP_URL option in your .env file. The value of this should exactly match the base URL you are using to host BookStack.

To prevent exploitation of the server-side request forgery issue, page edit permissions could be limited to only those that are trusted until you can upgrade.

References

Attribution

Thanks to @PercussiveElbow for the responsible discovery & reporting of this vulnerability.

More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack Security Advice to contact someone privately.

Header Image Credits: Photo by Jon Moore on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts