Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system in ikus060/rdiffweb

Valid

Reported on

Sep 14th 2022


Description

While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups.

Proof of Concept

Open the below url after logging in to the demo site.SSH Public key will be added to the profile.
https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys?action=add&title=ssh1&key=ssh-rsa+AAAAB3NzaC1yc2EAAAADAQABAAAAgQCzurRNVKwb0ZJCmUgGenoe4vth5gnHxgnzjHSUO8r7IZiouB6DAciiVUAryV6MQm5trwIXNo0QDwFxyX99exIwUlDu3OzhZHKKbb721hCID17AWZMAQIgxQdu6b27s5YgJXsaxXWvEO2lSRVOnVXoCSI7mK5St%2FCJ8O1OdXivNIQ%3D%3D+noname%0D%0A

OR

1 - On burpsuite, capture the SSH public key adding request and right click and click on change request method , it will change the POST request method to GET after that right click and Copy that URL.
2 - Login to the demo site and open that copied URL. SSH key will add to the account.

Impact

Unauthorized access to the system and backups.
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 8 months ago
Ambadi MP modified the report
8 months ago
ikus060/rdiffweb maintainer has acknowledged this report 8 months ago
Patrik Dufresne validated this vulnerability 8 months ago
Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
8 months ago

Maintainer


@admin Is it possible to create a CVE ? Thanks

Patrik Dufresne marked this as fixed in 2.4.3 with commit 9125f5 8 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
8 months ago

Admin


Done 👍

to join this conversation