Headline
CVE-2023-0609: Merge pull request from GHSA-qwx8-mxxx-mg96 · wallabag/wallabag@0f7460d
Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.
@@ -6,7 +6,6 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use Symfony\Component\Routing\Annotation\Route; use Wallabag\CoreBundle\Entity\Entry;
/** * The try/catch can be removed once all formats will be implemented. @@ -26,9 +25,21 @@ class ExportController extends Controller * * @return \Symfony\Component\HttpFoundation\Response */ public function downloadEntryAction(Entry $entry, $format) public function downloadEntryAction(Request $request, $format) { try { try { $entry = $this->get(‘wallabag_core.entry_repository’) ->find((int) $request->query->get(‘id’));
/** * We duplicate EntryController::checkUserAction here as a quick fix for an improper authorization vulnerability * * This should be eventually rewritten */ if (null === $entry || null === $this->getUser() || $this->getUser()->getId() !== $entry->getUser()->getId()) { throw new NotFoundHttpException(); }
return $this->get(‘wallabag_core.helper.entries_export’) ->setEntries($entry) ->updateTitle(‘entry’)
Related news
# Description The export feature lets a user export a single entry or a set of entries in a given format (_e.g. PDF, MOBI, TXT_). For example, `https://yourinstance.wallabag.org/export/45.pdf` will export the entry with id 45 in PDF format. Since wallabag 2.0.0-alpha.1, this feature is vulnerable to an insecure direct object reference attack. A logged user can export any single entry without ownership validation. This is due to a lack of access validation in the `downloadEntryAction` method. **You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.** # Resolution A user check is now done in the vulnerable method before sending the exported entry. The `Entry` retrieval through a `ParamConverter` has also been replaced with a call to the `EntryRepository` in order to prevent any information disclosure through response discrepancy. # Workaround If you are unable to update to the latest version or if yo...