CSRF leads to disabling notifications in users profile in ikus060/rdiffweb

Valid

Reported on

Sep 16th 2022


Description

Periodic updates of repositories were sent as notifications to the user's email and here GET request sent to the server for modifying repository notifications settings is accepted by the server, which can lead to disabling notifications through a CSRF attack.

Proof of Concept

Replace repos with valid repo names
https://rdiffweb-demo.ikus-soft.com/prefs/notification?repo1%2FC=0&repo2=0&repo3=0&action=set_notification_info
example:
https://rdiffweb-demo.ikus-soft.com/prefs/notification?MyWindowsLaptop%2FC=0&test-encoding=0&testcases=0&action=set_notification_info

Impact

Repository notifications sent to user's email will be disabled.
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 8 months ago
Patrik Dufresne validated this vulnerability 8 months ago
Ambadi MP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
8 months ago

Maintainer


@admin could to assign a CVE to this repport

Jamie Slome
8 months ago

Admin


Done :)

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 8 months ago
Patrik Dufresne marked this as fixed in 2.4.6 with commit 18a5aa 8 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation