Using application logic to create an email spam attack in ikus060/rdiffweb


Reported on

Oct 3rd 2022


On every 3 invalid attempts the application sends a new code to the email associate with the account . An attacker can misuse this functionality of the code to create a spam attack

Proof of Concept

Pre-Requisites: 2FA must be enabled for  your account 

1) Go to and login using credentials
2) You will now have to enter MFA code
3) Bruteforce this code , its indeed an 8 digit code (~100 million combinations required) . Every third incorrect attempt will trigger a new code to the email , which will indeed result in an email spam attack

# Impact

This will result in an email spam attack and will also impose an extra cost to your company's mail server
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 2 months ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back 2 months ago
We have sent a follow up to the ikus060/rdiffweb team. We will try again in 7 days. 2 months ago
Patrik Dufresne assigned a CVE to this report 2 months ago
Patrik Dufresne modified the Severity from Medium (6.1) to Medium (5.6) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability 2 months ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.5.0 with commit b78ec0 2 months ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 15 days ago
to join this conversation