Unauthorized access to settings update, logs , history, delete etc of repositories in ikus060/rdiffweb

Valid

Reported on

Nov 21st 2022


Hey,

Attack Scenario:

Admin setups new user with User privileges and gives access to repos "/" root directory, after a time due to some reason he revoke the privileges of the directory access but user privileged attacker can still edit settings , check logs and view history without having permissions.

Steps To reproduce:

From Admin's account make a new user with least privileges and give him access to root directory "/" Change the Root directory to blank and revoke the access to root directory. Go to User's account, if you will try to access browse it will give you 403 but if you directly access it via For example "backups/MyWindowsLaptop/C" : https://rdiffweb-demo.ikus-soft.com/browse/{user-account}/backups/MyWindowsLaptop/C it will give you 403 but if we try to access it via https://rdiffweb-demo.ikus-soft.com/settings/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/logs/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/history/{user-account}/backups/MyWindowsLaptop/C https://rdiffweb-demo.ikus-soft.com/graphs/activities/{user-account}/backups/MyWindowsLaptop/C

even if attacker can't view it directly but he can perform all the functionalities which were supposed to be revoked like downliad, history , edit settings , graphs , logs , etc.

If the Attacker's account had Manager privileges he can also delete the repo. Same scenario with Manager account too.

POC: https://docs.google.com/document/d/1b9uMYyL6n6Js0Aw55ehsh9skQdJ1Q3D52Ve3bqTI9_A/

Impact

Unauthorized actions can be done by attacker's account, even after removing the permissions. Attacker can read , access , edit and in manager's case he can delete that too.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 2 months ago
neverjunior
2 months ago

Researcher


Hey,

Any updates on this ?

thank you.

ikus060/rdiffweb maintainer has acknowledged this report 2 months ago
Patrik Dufresne modified the Severity from High (8) to Medium (6) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability 2 months ago
neverjunior has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
neverjunior
2 months ago

Researcher


Can you please assign CVE on this?

neverjunior
a month ago

Researcher


@admin can i please get a CVE for this? thanks.

Patrik Dufresne marked this as fixed in 2.5.2 with commit b2df36 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability a month ago
to join this conversation