Improper Cache control allows attacker to view sensitive data in ikus060/rdiffweb
Reported on
Sep 22nd 2022
Description
Due to improper cache control an attacker can view sensitive information even if he is not logged into the account
Proof of Concept
- Go to https://rdiffweb-demo.ikus-soft.com/login/ and login into your account using given credentials
- Go to https://rdiffweb-demo.ikus-soft.com/admin/logs and this endpoint has the entire log
- Click on Logout
- Now press the back button of your browser
- You will notice that you are still able to view the sensitive data/log files
Mitigation: Cache-Control: private, no-cache, no-store, max-age=0 Pragma: no-cache Expires: 0
Impact
An attacker can get access to sensitive information due to improper cache control
Occurrences
If I understand it well, admin_logs is not the only page affected. Almost any page contain sensitive information. e.g.: The browser page contain list of personal file and directory backup for the user. etc.
So I should probably apply these headers to all the pages except the static file like css, javascript, etc.
Yes sir , you are right all the sensitive endpoints are vulnerable to this issue. Applying this header to all sensitive endpoints would fix this issue :)