Unauthorized access to settings update, logs , history, delete etc of repositories in ikus060/rdiffweb


Reported on

Nov 21st 2022


Attack Scenario:

Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having permissions.

Steps To reproduce:

From Admin's account make a new user with least privileges and give him access to root directory "/" Change the Root directory to blank and revoke the access to root directory. Go to User's account, if you will try to access browse it will give you 403 but if you directly access it via For example "backups/MyWindowsLaptop/C" : https://rdiffweb-demo.ikus-soft.com/browse/{user-account}/backups/MyWindowsLaptop/C it will give you 403 but if we try to access it via https://rdiffweb-demo.ikus-soft.com/settings/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/logs/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/history/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/graphs/activities/{user-account}/backups/MyWindowsLaptop/C

even if attacker can't view it directly but he can perform all the functionalities which were supposed to be revoked like downliad, history , edit settings , graphs , logs , etc.

If the Attacker's account had Manager privileges he can also delete the repo. Same scenario with Manager account too.

POC: https://docs.google.com/document/d/1b9uMYyL6n6Js0Aw55ehsh9skQdJ1Q3D52Ve3bqTI9_A/


Unauthorized actions can be done by attacker's account, even after removing the permissions. Attacker can read , access , edit and in manager's case he can delete that too.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a year ago
a year ago



Any updates on this ?

thank you.

ikus060/rdiffweb maintainer has acknowledged this report a year ago
Patrik Dufresne modified the Severity from High (8) to Medium (6) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability a year ago
neverjunior has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


Can you please assign CVE on this?

a year ago


@admin can i please get a CVE for this? thanks.

Patrik Dufresne marked this as fixed in 2.5.2 with commit b2df36 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation