Application allows to add same SSH key among different users in ikus060/rdiffweb


Reported on

Dec 23rd 2022


With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application is identifying a duplicate SSH key via SSH key name that is only a title to identify the key and not the actual SSH key.

Proof of Concept

1) Go to 
2) Login into account 'A' .Create an SSH key , name it as TEST
3) Login into account 'B'. Create SSH key using the same public key , just name it as BEST

Note: if you use the same name - TEST then , it will say that this key is duplicate . The application is identifying duplicates through the name and not the key.

# Impact

This issue gives rise to a Broken access control vulnerability
We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne validated this vulnerability a year ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.5.5 with commit c4a19c a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation