No Limit in "title" length while adding SSH key , results in memory consumption/DOS attack in ikus060/rdiffweb

Valid

Reported on

Sep 24th 2022

Description

There must be a fixed length for user input parameters like "title" while adding SSH key. Allowing users to enter long strings may result in a DOS attack or memory corruption

Proof of Concept

1)Go to https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys# endpoint . 2)Click on add SSH key. 3)Here you will see that there is no limit for the "title" while adding SSH key that allows a user to to set a very long string as long as 1 million characters . 4)This may possibly result in a memory corruption/DOS attack.

Mitigation: There must be a fixed length for the "title" while adding SSH key - upto 256 characters

Impact

Allows an attacker to set a "title" with long string leading to memory corruption/possible DOS attack

We are processing your report and will contact the ikus060/rdiffweb team within 24 hours. a year ago
We have contacted a member of the ikus060/rdiffweb team and are waiting to hear back a year ago
Patrik Dufresne assigned a CVE to this report a year ago
Patrik Dufresne validated this vulnerability a year ago
Nehal Pillai has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Patrik Dufresne marked this as fixed in 2.4.8 with commit 626cca a year ago
Patrik Dufresne has been awarded the fix bounty
This vulnerability will not receive a CVE
prefs_sshkeys.html#L1-L55 has been validated
Nehal Pillai
a year ago

Researcher

@admin this issue has been fixed. The maintainer has already assigned a CVE for this issue. Could we please publish the CVE?

Ben Harvie
a year ago

Admin

Hi nehalr777,

The publishing of a CVE will happen automatically within 24 hours of the fix being submitted, so it should be published shortly. Happy hunting!

to join this conversation