CVE-2022-3363 - Business Logic Errors in Rdiffweb (ikus060/rdiffweb) Prior to 2.5.a7 — A Deep Dive

In September 2022, a critical business logic vulnerability (CVE-2022-3363) was disclosed for the widely used backup web interface, Rdiffweb, hosted in the ikus060/rdiffweb GitHub repository. The bug affected versions prior to 2.5.a7. Since Rdiffweb is often used to access, manage, and restore sensitive backup data, this flaw left many organizations and home users at risk.

This post offers a detailed examination of CVE-2022-3363—what it is, how it works (with code snippets), how it was exploited, remediation steps, and links for further reading.

What is CVE-2022-3363?

CVE-2022-3363 describes a business logic error that allowed remote attackers to gain access to restricted backup directories, bypassing standard authentication checks. In other words, someone could directly view, modify, or delete backup data they shouldn’t have had access to.

Business logic errors aren’t bugs in the code itself, but in how rules and workflows are implemented. Here, the developers failed to correctly validate user permissions during some API and web requests—potentially letting regular users access admin-level areas, or allowing unauthorized navigation between backup directories.

How Does The Vulnerability Work? (Technical Details)

The flaw lies in the way Rdiffweb handled path traversal and permission checks during certain HTTP requests. An attacker could craft a request that the logic would mishandle—granting them access to a broader set of backups.

Let’s look at a simplified version of the affected logic (pseudocode for clarity)

# Simplified vulnerable handler from early Rdiffweb versions

def get_backup_directory(user, requested_path):
    # Get the base path for the user's permitted backups
    user_base_path = get_user_backup_base_path(user)
    
    # Vulnerable: Does not correctly check that requested_path is within user_base_path
    full_path = os.path.join(user_base_path, requested_path)
    
    if os.path.exists(full_path):
        return open_backup_directory(full_path)
    else:
        raise Exception("Directory does not exist.")

Here’s the problem

- If an attacker submits a path like ../../admin_backup/secret, the os.path.join() call does not fully protect against directory traversal (i.e., .. segments up-level the directory).
- The function does not check whether the resulting full_path actually stays inside the user's permitted area.

So, if the filesystem had an admin_backup directory above the user’s backup folder, a normal user could see it. That means business logic (expected behavior: users should ONLY see their own data) is broken.

Here’s how attackers could exploit CVE-2022-3363

1. Input Manipulation: They send requests to the Rdiffweb server with paths like /explore/../../admin/
2. Bypassed Authorization: The server naively joins the paths and gives access to the parent directory.
3. Sensitive Data Exposure: Attackers view or even modify backups they shouldn’t be able to reach.

Example exploit using curl

curl -u normaluser:password \
  http://backupserver:800/explore/../../admin_backup/private/

If the vulnerability is present, this might list the contents of the admin_backup/private directory, which should be forbidden.

References

- NVD Entry for CVE-2022-3363
- Original GitHub Advisory
- Rdiffweb Changelog (security fix)

How Was it Fixed?

After the report, Rdiffweb maintainers patched the logic to normalize paths and ensure they stayed within allowed areas.

Example of a safe version

import os

def get_backup_directory(user, requested_path):
    user_base_path = get_user_backup_base_path(user)
    # Normalize to absolute path
    full_path = os.path.abspath(os.path.join(user_base_path, requested_path))
    
    # Critical: check prefix to ensure user can't access other directories!
    if not full_path.startswith(user_base_path):
        raise Exception("Access Denied")

    if os.path.exists(full_path):
        return open_backup_directory(full_path)
    else:
        raise Exception("Directory does not exist.")

Now, even if you send ../../admin_backup, your request is blocked because you're trying to go outside your authorized directory.

Remediation

If you run Rdiffweb, update to at least v2.5.a7 immediately. There’s no reliable mitigation in earlier versions, as the patch fundamentally changes how directory logic is checked.

To update

pip install --upgrade rdiffweb

Or, if you use Docker

docker pull ikus060/rdiffweb:2.5.a7

Conclusion

CVE-2022-3363 is a classic example of why business logic errors are so dangerous: they slip through standard code reviews and leave gaping holes because *the code works*, just not how it should.

If you use backup management tools like Rdiffweb, check your version today. Make sure your users can’t see each other’s data and that your sensitive backups stay protected.

Further Reading

- OWASP Directory Traversal
- Rdiffweb Official Documentation

If you have questions about CVE-2022-3363, feel free to comment below or check out the links in this article. Stay safe!

Timeline

Published on: 10/26/2022 21:15:00 UTC
Last modified on: 11/01/2022 14:12:00 UTC