Improper Cache control allows attacker to view sensitive data in ikus060/rdiffweb


Reported on

Sep 22nd 2022


Due to improper cache control an attacker can view sensitive information even if he is not logged into the account

Proof of Concept

  1. Go to and login into your account using given credentials
  2. Go to and this endpoint has the entire log
  3. Click on Logout
  4. Now press the back button of your browser
  5. You will notice that you are still able to view the sensitive data/log files

Mitigation: Cache-Control: private, no-cache, no-store, max-age=0 Pragma: no-cache Expires: 0


An attacker can get access to sensitive information due to improper cache control

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
Patrik Dufresne
a year ago


If I understand it well, admin_logs is not the only page affected. Almost any page contain sensitive information. e.g.: The browser page contain list of personal file and directory backup for the user. etc.

So I should probably apply these headers to all the pages except the static file like css, javascript, etc.

Nehal Pillai
a year ago


Yes sir , you are right all the sensitive endpoints are vulnerable to this issue. Applying this header to all sensitive endpoints would fix this issue :)

We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a year ago
Patrik Dufresne validated this vulnerability a year ago
nehalr777 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the ikus060/rdiffweb team. We will try again in 7 days. a year ago
Patrik Dufresne marked this as fixed in 2.4.8 with commit 240678 a year ago
Patrik Dufresne has been awarded the fix bounty
admin_logs.html#L1-L34 has been validated
to join this conversation