Origin validation Bypass in ikus060/rdiffweb


Reported on

Oct 6th 2022

In the following python script

    if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
        origin = request.headers.get('Origin', None)
        if origin and not origin.startswith(request.base):
            raise cherrypy.HTTPError(403, 'Unexpected Origin header')


In the above lines of code, The origin is being only validated from the start of domain name only https://rdiffweb-demo.ikus-soft.com. But it isn't validated after the actual domain name https://rdiffweb-demo.ikus-soft.com .nithissh.com

For Example,

If we enter the following domain https://nithissh.com.rdiffweb-demo.ikus-soft.com as an origin and then the origin header being validated and returns a 403 status as expected in the code

But Now we can bypass the above validation check, By a creating subdomain after the soft.com.^ as follows https://rdiffweb-demo.ikus-soft.com .nithissh.com.


These kind of origin validation bypasses helps in chaining with other vulnerabilities like CSRF, XSS and Clickjack as well


This is a snippet of regex for a user input and we can make use of this in the Origin header validation as well

import re

def use_regex(input_text):
    pattern = re.compile(r"^rdiffweb-demo\.ikus-soft\.com$", re.IGNORECASE)
    return pattern.match(input_text)
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a year ago
Patrik Dufresne modified the Severity from Medium (6.5) to Medium (4.8) a year ago
Patrik Dufresne
a year ago



It's very unlikely to work since Rdiffweb is installed behind a reverse proxy that would not know how to respond to "https://rdiffweb-demo.ikus-soft.com .nithissh.com"

Have you been able to exploit this vulnerability with rdiffweb-demo.ikus-soft.com ?

a year ago


It isn’t possible as of now but In future we can able to use this vulnerability to exploit such vulnerabilities like XSS, CSRF in future

We have sent a follow up to the ikus060/rdiffweb team. We will try again in 4 days. a year ago
Patrik Dufresne modified the Severity from Medium (4.8) to Low (3.7) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability a year ago
nithissh200 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


Thanks Patrik, Have a great day ahead

a year ago


@admin Is it possible to collaborator here ?

a year ago


Hey @nithissh12 unfortunately we don't support collaboration just yet...

Patrik Dufresne marked this as fixed in 2.5.0a5 with commit afc1bd a year ago
Patrik Dufresne has been awarded the fix bounty
secure_headers.py#L60-L63 has been validated
This vulnerability has now been published a year ago
to join this conversation