Cross Site Request Forgery in Admin area leads to deletion of repositories and users in ikus060/rdiffweb

Valid

Reported on

Sep 16th 2022


Description

Server accepts the GET request for deleting repositories and users which can lead to CSRF attack on repositories'.

Proof of Concept

Open the below URL after logging in to the admin account in demo site.
For deleting Repository : Replace "replace-here" with a repo name
https://rdiffweb-demo.ikus-soft.com/delete/admin/replace-here?action=&confirm=replace-here
For deleting User
   https://rdiffweb-demo.ikus-soft.com/admin/users?action=delete&username=username

Impact

Deletion of repositories and users
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 8 months ago
Ambadi MP modified the report
8 months ago
Ambadi MP modified the report
8 months ago
Patrik Dufresne validated this vulnerability 8 months ago

I confirm the vulnerability.

Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
8 months ago

Maintainer


@admin could we get an CVE for this repport. Thanks

Jamie Slome
8 months ago

Admin


Sorted :)

Patrik Dufresne marked this as fixed in 2.4.5 with commit 422791 8 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
page_delete.py#L64-L81 has been validated
to join this conversation