Beta Security Release v0.30.5
Dan Brown posted on the 6th of December 2020
Phishing and and server-side request forgery vulnerabilities have been found within BookStack. Release v0.30.5 will remove this server-side request forgery issue while bringing updated wording and advisories to prevent the potential phishing vulnerability.
A user with permissions to edit a page could set certain image URL’s within a page to manipulate functionality in the exporting system, which would allow them to make server side requests and/or have access to a wider scope of files within the BookStack file storage locations. This is primarily a concern if untrusted users are able to edit pages in your instance.
A malicious attacker could craft a password reset request with an alternate host address, resulting in a password reset email being sent to someone with an alternate destination. This could be used for phishing attempts with a sight to gain further access if successful. This is a primarily a concern on hosts where requests to unexpected domain names could reach your BookStack instance.
Within v0.30.5 the above server-side request forgery vulnerability will no longer exist since that specific functionality was removed. Within v0.30.5 the default state and wording within the provided
.env.example file was updated to encorage filling of the
APP_URL parameter (See below).
To help prevent the potential phishing vulnerability, please ensure you have set the
APP_URL option in your
.env file. The value of this should exactly match the base URL you are using to host BookStack.
To prevent exploitation of the server-side request forgery issue, page edit permissions could be limited to only those that are trusted until you can upgrade.
- Thanks to @PercussiveElbow for the responsible discovery & reporting of this vulnerability.
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack Security Advice to contact someone privately.