No password confirmation on sensitive action like email change in ikus060/rdiffweb

Valid

Reported on

Sep 26th 2022


Description

It is important to implement password checks on sensitive features like email change

Proof of Concept

1) Go to https://rdiffweb-demo.ikus-soft.com/login/ 
2) Use the credentials admin , admin123 and login into your account 
3) Navigate to the endpoint https://rdiffweb-demo.ikus-soft.com/prefs/general 
4) Change the email and save changes
5) You will notice that there is no password confirmation during this sensitive action 

Mitigation: There must be a password confirmation on sensitive actions like email change




# Impact

If some one left his account open on public computer(say office or cafe), then attacker can change the email associated with this account easily

References

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
Patrik Dufresne
2 months ago

Maintainer


If someone leave the session open. The user's backup is at risk. Changing the user's email is nothing compare to that. Do you think we should ask the password for all this kind of operation ? Probably yes.

Patrik Dufresne assigned a CVE to this report 2 months ago
Patrik Dufresne validated this vulnerability 2 months ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
nehalr777
2 months ago

Researcher


Yes , indeed a password backup must be added to all sensitive actions:)

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 2 months ago
Patrik Dufresne
2 months ago

Maintainer


After a lot of reading, given the type of application, all operations in Rdiffweb are sensitive. Seeing personal files, deleting them seems even more sensitive than editing the email. Looking at what banks do, I think it would be acceptable to limit the session to 10min. If it's good for the protection of my bank account, it should be good for the protection of backup data.

This value is already configurable for Rdiffweb. Will change the default value to 10min.

nehalr777
2 months ago

Researcher


Hello sir , thank you for your email. Usually reducing the session time won't be as effective as implementation of session timed upto 10 mins for a variety of reasons.

  1. As i highlighted the importance of password confirmation required for email (considering 2FA bypass issue)
  2. A user will not be quite happy being logged off every 10 minutes reauthenticating again and again.

I believe a password confirmation is necessary for at least an email change and also the session to expire on email change is necessary

We have sent a second fix follow up to the ikus060/rdiffweb team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the ikus060/rdiffweb team. This report is now considered stale. a month ago
Patrik Dufresne marked this as fixed in 2.5.0a6 with commit f2a32f a month ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 15 days ago
to join this conversation