Username field are not unique to users allowing exploitation of primary key logic by creating same name with different combinations & unauthorized access in ikus060/rdiffweb

Valid

Reported on

Dec 22nd 2022

Description

The username fields while creating a user Role is same which should not be the case, the username should be made unique.

Proof of Concept

1. Login to Demo account at https://rdiffweb-demo.ikus-soft.com/login/
2. Enter the username and password as admin: admin123 respectively.
3. visit to https://rdiffweb-demo.ikus-soft.com/admin/users
4. Click on "Add user" button
5. Fill the form with your choice & use the same email every time to create more such users & also change the "User Role" each time you want till whatever you want.
6. You will notice that there is a major flaw in user's permission access control where in "username" are considered as a primary key.
7. Now add another user the same username but with capital letters in the combinations for same username, it will be addressed unique by the system & a new user Role with the same "username" word will be created.

Impact

  1. This is leading to primary key exploitation.
  2. This is leading to broken authorization as a user was able to fool and create same username and fool the system which is leading to authorization bypass.
  3. It may also cause confusion within the users & lead to more attacks on the system.
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. 18 days ago
Patrik Dufresne
18 days ago

Maintainer

@raiders0786 Could you adjust the security level of this report. As it's required Admin privilege to create username with various case the severity should not be 9.8

Chirag Agrawal modified the report
18 days ago
Chirag Agrawal
18 days ago

Researcher

I've updated the severity by increasing the privilege required parameter as HIGH. There might by ways from which admins can be tricked while they are awake from the system or issues due to session in future if any.

Chirag Agrawal
18 days ago

Researcher

As the issues is affecting the critical logic of primary keys which is leading to creations of more such admin users with different combination of letters, this issue severity should be High!

Chirag Agrawal
18 days ago

Researcher

@patrik I wanted to know if this issue be eligible for a CVE ID upon resolution.

Happy to Secure :)

Patrik Dufresne
18 days ago

Maintainer

Yes, I will request a CVE.

Patrik Dufresne validated this vulnerability 18 days ago
Chirag Agrawal has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
18 days ago

Maintainer

I've complete a change for this and deployed it on:

rdiffweb-dev.ikus-soft.com admin / admin123

If you could test it, that would be great.

Chirag Agrawal
17 days ago

Researcher

Thanks for the fix, it's working!

Patrik Dufresne
17 days ago

Maintainer

Super ! Will soon prepare a release and publish it.

Thanks

Patrik Dufresne marked this as fixed in 2.5.5 with commit d1aaa9 17 days ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has been assigned a CVE
Patrik Dufresne published this vulnerability 17 days ago
Chirag Agrawal
16 days ago

Researcher

Thank you Patrik for the quick fix & publishing this vulnerability!

to join this conversation