Cross-Site Request Forgery (CSRF) in ampache/ampache


Reported on

Aug 31st 2021

✍️ Description

csrf bug to disable user

🕵️‍♂️ Proof of Concept

I see during disable a user there is no csrf token is checking .
1. First login into admin account .
2. Now copy url http://localhost/ampache-develop/public/admin/users.php?action=disable&user_id=3 and paste in browser tab and hit enter .
Now user will be disabled.

💥 Impact

disable user using csrf bug


We have contacted a member of the ampache team and are waiting to hear back a year ago
lachlan validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago

i've put enable and disable behind confirmation dialogs now with

lachlan confirmed that a fix has been merged on bcdd8b a year ago
lachlan has been awarded the fix bounty
to join this conversation