Error page is default and leak error information in ikus060/rdiffweb

Valid

Reported on

Sep 9th 2022


Description

Information is leak in error page and this can support for other vulnerabilities.

Proof of Concept

Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/* https://rdiffweb-demo.ikus-soft.com/' https://rdiffweb-demo.ikus-soft.com/admin/

Impact

Leaking information. Chance for other vulnerabilities.

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 22 days ago
Chuu modified the report
22 days ago
Patrik Dufresne
22 days ago

Maintainer


The demo server is running with "debug" intentionally enabled. By default, rdiffweb is running without "debug" enabled. So I would not consider this a vulnerabilities.

Patrik Dufresne
22 days ago

Maintainer


Nevermind. Debug mode is disable and error_page still leak a stacktrace

Patrik Dufresne validated this vulnerability 22 days ago
Chuu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Chuu
21 days ago

Researcher


thank you

Patrik Dufresne
20 days ago

Maintainer


@chuu Would you create a CVE for this ?

Chuu
19 days ago

Researcher


@admin Please help me to create a CVE report.

Jamie Slome
19 days ago

Admin


All sorted 👍 Once this report is marked as fixed (i.e. resolved), a CVE will automatically publish for this report with the CVE ID (CVE-2022-3175).

Patrik Dufresne
19 days ago

Maintainer


@chuu the affected version should be >=2.4.1

Jamie Slome
19 days ago

Admin


Sorted the affected version :)

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. 19 days ago
Patrik Dufresne confirmed that a fix has been merged on 233bef 19 days ago
Patrik Dufresne has been awarded the fix bounty
Chuu
18 days ago

Researcher


@Patrik Thank you. By the way, I have a question, does this have bounty ?

Jamie Slome
18 days ago

Admin


We are currently not rewarding bounties on these types of reports. To see the projects you can get bounties for, see our list here.

to join this conversation