Application allows to add same SSH key among different users in ikus060/rdiffweb
Valid
Reported on
Dec 23rd 2022
Description
With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application is identifying a duplicate SSH key via SSH key name that is only a title to identify the key and not the actual SSH key.
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys#
2) Login into account 'A' .Create an SSH key , name it as TEST
3) Login into account 'B'. Create SSH key using the same public key , just name it as BEST
Note: if you use the same name - TEST then , it will say that this key is duplicate . The application is identifying duplicates through the name and not the key.
# Impact
This issue gives rise to a Broken access control vulnerability
We are processing your report and will contact the
ikus060/rdiffweb
team within 24 hours.
5 months ago
The researcher's credibility has increased: +7
to join this conversation