Application allows to add same SSH key among different users in ikus060/rdiffweb

Valid

Reported on

Dec 23rd 2022

Description

With SSH keys, you can connect to Rdiffweb without supplying your username and personal access token at each visit. Rdiffweb allows the same SSH key to be used by multiple users . For Example: User A has used SSH key '1' , the same key can be used by User B , User C . The application is identifying a duplicate SSH key via SSH key name that is only a title to identify the key and not the actual SSH key.

Proof of Concept

1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys# 
2) Login into account 'A' .Create an SSH key , name it as TEST
3) Login into account 'B'. Create SSH key using the same public key , just name it as BEST

Note: if you use the same name - TEST then , it will say that this key is duplicate . The application is identifying duplicates through the name and not the key.




# Impact

This issue gives rise to a Broken access control vulnerability

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago

Patrik Dufresne validated this vulnerability a year ago

Nehal Pillai has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Patrik Dufresne marked this as fixed in 2.5.5 with commit c4a19c a year ago

Patrik Dufresne has been awarded the fix bounty

This vulnerability has been assigned a CVE

Patrik Dufresne published this vulnerability a year ago

to join this conversation