Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system in ikus060/rdiffweb

Valid

Reported on

Sep 14th 2022


Description

While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups.

Proof of Concept

Open the below url after logging in to the demo site.SSH Public key will be added to the profile.
https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys?action=add&title=ssh1&key=ssh-rsa+AAAAB3NzaC1yc2EAAAADAQABAAAAgQCzurRNVKwb0ZJCmUgGenoe4vth5gnHxgnzjHSUO8r7IZiouB6DAciiVUAryV6MQm5trwIXNo0QDwFxyX99exIwUlDu3OzhZHKKbb721hCID17AWZMAQIgxQdu6b27s5YgJXsaxXWvEO2lSRVOnVXoCSI7mK5St%2FCJ8O1OdXivNIQ%3D%3D+noname%0D%0A

OR

1 - On burpsuite, capture the SSH public key adding request and right click and click on change request method , it will change the POST request method to GET after that right click and Copy that URL.
2 - Login to the demo site and open that copied URL. SSH key will add to the account.

Impact

Unauthorized access to the system and backups.
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 9 days ago
Ambadi MP modified the report
9 days ago
ikus060/rdiffweb maintainer has acknowledged this report 9 days ago
Patrik Dufresne validated this vulnerability 9 days ago
Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
9 days ago

Maintainer


@admin Is it possible to create a CVE ? Thanks

Patrik Dufresne confirmed that a fix has been merged on 9125f5 9 days ago
Patrik Dufresne has been awarded the fix bounty
Jamie Slome
8 days ago

Admin


Done 👍

to join this conversation