Cross Site Request Forgery in profile's "SSH Keys" leads to unauthorized access to the system in ikus060/rdiffweb
Valid
Reported on
Sep 14th 2022
Description
While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups.
Proof of Concept
Open the below url after logging in to the demo site.SSH Public key will be added to the profile.
https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys?action=add&title=ssh1&key=ssh-rsa+AAAAB3NzaC1yc2EAAAADAQABAAAAgQCzurRNVKwb0ZJCmUgGenoe4vth5gnHxgnzjHSUO8r7IZiouB6DAciiVUAryV6MQm5trwIXNo0QDwFxyX99exIwUlDu3OzhZHKKbb721hCID17AWZMAQIgxQdu6b27s5YgJXsaxXWvEO2lSRVOnVXoCSI7mK5St%2FCJ8O1OdXivNIQ%3D%3D+noname%0D%0A
OR
1 - On burpsuite, capture the SSH public key adding request and right click and click on change request method , it will change the POST request method to GET after that right click and Copy that URL.
2 - Login to the demo site and open that copied URL. SSH key will add to the account.
Impact
Unauthorized access to the system and backups.
We are processing your report and will contact the
ikus060/rdiffweb
team within 24 hours.
8 months ago
Ambadi MP modified the report
8 months ago
The researcher's credibility has increased: +7
to join this conversation
