No Limit in length of root directory name , results in memory consumption/DOS attack in ikus060/rdiffweb


Reported on

Sep 24th 2022


There must be a fixed length for user input parameters like root directory name. Allowing users to enter long strings may result in a DOS attack or memory corruption

Proof of Concept

1)Go to endpoint . 2)Click on add user 3)Here you will see that there is no limit for the root directory name length that allows a user to to set a very long string as long as 1 million characters 4)This may possible result in a memory corruption/DOS attack

Mitigation: There must be a fixed length for the root directory name - upto 256 characters


Allows an attacker to set a root directory name with long string leading to memory corruption/possible DOS attack

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne validated this vulnerability a year ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.4.8 with commit 667657 a year ago
Patrik Dufresne has been awarded the fix bounty
admin_users.html#L1-L122 has been validated
to join this conversation