Cross Site Request Forgery in Admin area leads to deletion of repositories and users in ikus060/rdiffweb

Valid

Reported on

Sep 16th 2022


Description

Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'.

Proof of Concept

Open the below URL after logging in to the admin account in demo site.
For deleting Repository : Replace "replace-here" with a repo name
https://rdiffweb-demo.ikus-soft.com/delete/admin/replace-here?action=&confirm=replace-here
For deleting User
   https://rdiffweb-demo.ikus-soft.com/admin/users?action=delete&username=username

Impact

Deletion of repositories and users
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 7 days ago
Ambadi MP modified the report
7 days ago
Ambadi MP modified the report
7 days ago
Patrik Dufresne validated this vulnerability 7 days ago

I confirm the vulnerability.

Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
7 days ago

Maintainer


@admin could we get an CVE for this repport. Thanks

Jamie Slome
7 days ago

Admin


Sorted :)

Patrik Dufresne confirmed that a fix has been merged on 422791 7 days ago
Patrik Dufresne has been awarded the fix bounty
page_delete.py#L64-L81 has been validated
to join this conversation