Application allows to add same SSH key among different users in ikus060/rdiffweb
Dec 23rd 2022
With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application is identifying a duplicate SSH key via SSH key name that is only a title to identify the key and not the actual SSH key.
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys# 2) Login into account 'A' .Create an SSH key , name it as TEST 3) Login into account 'B'. Create SSH key using the same public key , just name it as BEST Note: if you use the same name - TEST then , it will say that this key is duplicate . The application is identifying duplicates through the name and not the key. # Impact This issue gives rise to a Broken access control vulnerability