Virual defacement allows attacker to display any message of his choice in ikus060/rdiffweb

Valid

Reported on

Sep 22nd 2022

Description

This attack involves injecting malicious data into a page of a web application to feed misleading information to users of the application. This kind of attack is known as virtual defacement because the actual content hosted on the target's web server is not modified. The defacement is generated solely because of how the application processes and renders user-supplied input.

Proof of Concept

  1. Go to https://rdiffweb-demo.ikus-soft.com
  2. Login using the credentials - admin , admin123
  3. Visit url : https://rdiffweb-demo.ikus-soft.com/This website has been hacked and the confidential data of all users have been compromised and leaked to public . You can craft your personal message here .
  4. Your message "This website has been hacked and the confidential data of all users have been compromised and leaked to public" will be displayed

Attack Scenario: Attacker constructs a malicious message.Attackers start posting this URL everywhere on social media. The message might get the attention of the media and several people might believe the news to be true which will cause huge business reputation and monetary damage

Impact

A professionally crafted defacement, delivered to the right recipients in a convincing manner, could be picked up by the news media and have real-world effects on people's behavior, stock prices, and so on, to the attacker's financial benefit.

References

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne modified the Severity from High (7.3) to Medium (4.3) a year ago
Patrik Dufresne
a year ago

Maintainer

@nehalr777 Plz update the affected version. and registry.

So basically, displaying the Path not found is a vulnerability !?

If so, let change the severity to something more accurate...

Nehal Pillai
a year ago

Researcher

Hello sir , thank you for looking into this. It affects the latest version of rdiffweb. The application is throwing back the requested endpoint in the form of a message, which in turn is the root cause of this. Just display a 404 and scrape out the error of the endpoint not found.

Nehal Pillai
a year ago

Researcher

The affected version is 2.4.6

Patrik Dufresne
a year ago

Maintainer

Plz edit the "Affected Version" in the report. It currently define as 4.6 and should be 2.4.6. Once done, I will validate the report.

Thanks

Nehal Pillai modified the report
a year ago
Nehal Pillai
a year ago

Researcher

The affected version in the report has been updated.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Patrik Dufresne validated this vulnerability a year ago

Thanks

Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nehal Pillai
a year ago

Researcher

Hello sir , Are you happy to proceed with a CVE for this issue as well ?

Patrik Dufresne
a year ago

Maintainer

Yes, let assign a CVE. @admin

Nehal Pillai
a year ago

Researcher

Hi @admin , I hope you are doing well . The maintainer has agreed to proceed with a CVE for this issue. Could you please assign a CVE?

We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago
Patrik Dufresne marked this as fixed in 2.4.8 with commit 5ac38b a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
test.py#L24-L220 has been validated
Ben Harvie
a year ago

Admin

A CVE has now been assigned to this report as requested :)

to join this conversation