Error page is default and leak error information in ikus060/rdiffweb
Reported on
Sep 9th 2022
Description
Information is leak in error page and this can support for other vulnerabilities.
Proof of Concept
Whenever trying to input anything meaningless after the link https://rdiffweb-demo.ikus-soft.com/ the error page will appear. Example: https://rdiffweb-demo.ikus-soft.com/* https://rdiffweb-demo.ikus-soft.com/' https://rdiffweb-demo.ikus-soft.com/admin/
Impact
Leaking information. Chance for other vulnerabilities.
The demo server is running with "debug" intentionally enabled. By default, rdiffweb is running without "debug" enabled. So I would not consider this a vulnerabilities.
Nevermind. Debug mode is disable and error_page still leak a stacktrace
All sorted 👍 Once this report is marked as fixed (i.e. resolved), a CVE will automatically publish for this report with the CVE ID (CVE-2022-3175).
@Patrik Thank you. By the way, I have a question, does this have bounty ?
We are currently not rewarding bounties on these types of reports. To see the projects you can get bounties for, see our list here.