CVE-2023-4624 - Exploring the SSRF Vulnerability in BookStack (bookstackapp/bookstack) Before v23.08
In November 2023, a Server-Side Request Forgery (SSRF) vulnerability was discovered in the popular open-source BookStack project (GitHub repository here). This flaw, tracked as CVE-2023-4624, affects all versions of BookStack prior to v23.08 and allows attackers to trick the server into making HTTP requests to arbitrary locations — potentially accessing sensitive internal resources.
In this post, we'll break down what SSRF is, how this bug worked in BookStack, how it could be exploited, and how to stay safe.
What is SSRF?
Server-Side Request Forgery (SSRF) is a security vulnerability in which an attacker tricks a server into sending requests to internal or external systems. Since the server often sits within a trusted network, it might reach endpoints that are normally unreachable to external attackers.
What Caused the Issue?
BookStack is a wiki and documentation platform built on Laravel (PHP). Prior to v23.08, some components did not properly validate or sanitize user-supplied URLs before using them in server-side HTTP requests. This allowed attackers to specify arbitrary URLs which the server would request, opening the door to SSRF attacks.
For example:
An image embed or similar feature might fetch the image on behalf of the user, but if it doesn't properly check the URL, a malicious user could supply a URL like http://localhost/admin or even http://169.254.169.254/latest/meta-data/ (on AWS) — exposing internal resources.
Exploit Details
Attackers could use BookStack features (like an image fetcher or web link validator) to supply URLs under their control. With a little probing, an attacker could:
- Access internal IPs (http://127...1/, http://192.168..1/)
Proof-of-Concept (PoC) attack flow
1. Attacker registers/logins to BookStack.
2. Attacker creates/edit page and embeds remote content using a user-controllable URL field.
Attacker submits a specially crafted payload, e.g.:
- http://localhost:800/
- http://127...1:808/admin
- http://169.254.169.254/latest/meta-data/
4. BookStack server fetches the resource. If successful, attacker gets a response containing potentially sensitive internal data.
Example Attack Snippet
Suppose the BookStack instance allowed you to add a web image to a page. The simplified PHP handling (vulnerable version) might look like:
$imageUrl = $_POST['image_url'];
$imageData = file_get_contents($imageUrl);
file_put_contents('/uploads/' . basename($imageUrl), $imageData);
If no validation is performed, you could send
POST /image/add HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
image_url=http://localhost:808/private-info
The server then fetches from localhost:808 and displays/saves the result.
References
- GitHub Security Advisory for CVE-2023-4624
- NVD Entry for CVE-2023-4624
- BookStack Release Notes
How Was it Fixed?
In v23.08, BookStack implemented proper validation/sanitization for all user-supplied URLs, making sure URLs could not point to internal IP addresses or unsafe hosts. Invalid or unsafe URLs are now blocked before any server-side request is made.
Sample whitelist logic
$host = parse_url($imageUrl, PHP_URL_HOST);
if (filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false) {
// Block private or reserved IPs
exit('Unsafe URL');
}
Conclusion
CVE-2023-4624 is a potent reminder of the real risks of SSRF, especially in software that routinely fetches remote resources on behalf of users. If you're running BookStack, *patch now* and always be wary of accepting user-supplied URLs.
For developers: always validate and sanitize URLs before making any server-side requests.
---
Stay Secure!
If you want to learn more about BookStack or its security efforts, visit the official GitHub page.
Timeline
Published on: 08/30/2023 13:15:00 UTC
Last modified on: 09/01/2023 19:59:00 UTC