Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection in ikus060/rdiffweb

Valid

Reported on

Dec 20th 2022


Description

Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys 
2) Add SSH key
3) Enter the name evil.com 
4) Due to lack of sanitisation , this might cause a hyperlink injection attack once email is triggered successfully on adding SSH key




# Impact

This issue allows an attacker to redirect victim to malicious website and cause a phishing attack
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 20 days ago
Patrik Dufresne validated this vulnerability 19 days ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
19 days ago

Maintainer


I still get a problem with those kind of vulnerability. I don't see why Rdiffweb should try to sanitize the SSH Key name.

First, it could be perfectly valid for a user to name the ssh key with a dot to follow the naming convention of the FQDN.

Second, it's not Rdiffweb that create a link out of the "evil.com" it's the mail client. GMail as an example create link for anything similar to a domain name. If their is a vulnerability, they should be the one fixing it.

Third, well know opensource project like Gitlab are not sanitizing the value either. It's perfectly valid in Gitlab and probably Github to provide a token name "evil.com" for an SSH Key. And I feel it's right. And yes, the "evil.com" get converted to a link.

So I think I wont get those fixed after all.

Nehal Pillai
19 days ago

Researcher


@maintainer ,

I strongly believe that this must be fixed mainly for 2 reasons

  1. A notification is going to be triggered for adding an SSH key , it is our role here to be filtering the key name as it is initially being vulnerable at the application side.
  2. It's all about adding a sanitisation for certain characters like a '.' that will make the application more secure from a phishing attack.

Let's say somebody sets access key or ssh name as 'You have been hacked , contact evil.com' this will exploit the users attention and will cause an impact to rdiffweb application as the notification is getting triggered from rdiffweb.

I believe it is a must fix issue

Nehal Pillai
19 days ago

Researcher


I agree that gitlab might not be sanitising such parameters , but they have other aspects that prevent this issue from occurring as rdiffweb is not able to attain that security measures it is important for character sanitisation to take place to make users safe from such phishing attacks

Patrik Dufresne
19 days ago

Maintainer


If the phishing is the real vulnerability. I will find a way to sanitize the email that get sent to the user instead of blocking the user to enter a SSH Key name that include dot (.)

I might have found way to make sure GMail is not converting "evil.com" to a link. That should cover it

Nehal Pillai
19 days ago

Researcher


@maintainer the best way is to implement a fix where gmail does not convert it into a link .

Patrik Dufresne
19 days ago

Maintainer


I've deployed a temporary version on rdiffweb-dev.ikus-soft.com This version ensure "evil.com" is not converted into a link by GMail and other mail client.

Meanwhile, "evil.com" is still a valid SSH Key title

Patrik Dufresne
19 days ago

Maintainer


Sry, that version is not yet deployed. Should be within the next 1 hour

Nehal Pillai
19 days ago

Researcher


Yes sir , it's working , the fix that has been deployed ensures that it is not converted into a hyperlink 👍

Patrik Dufresne
18 days ago

Maintainer


I think it's the best way to get this vulnerability fixed. While keeping the possibility to add special characters in SSH Key of Token name. I don't want to restrict the user only.

I will complete the changes with that feature and SSH Key added probably this week.

Nehal Pillai
18 days ago

Researcher


Great to hear :)

Patrik Dufresne marked this as fixed in 2.5.5 with commit 6afaae 17 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 17 days ago
to join this conversation