Cross-Site Request Forgery (CSRF) in ampache/ampache

Valid

Reported on

Aug 31st 2021


✍️ Description

csrf bug to disable user

🕵️‍♂️ Proof of Concept

I see during disable a user there is no csrf token is checking .
1. First login into admin account .
2. Now copy url http://localhost/ampache-develop/public/admin/users.php?action=disable&user_id=3 and paste in browser tab and hit enter .
Now user will be disabled.

💥 Impact

disable user using csrf bug

Occurences

We have contacted a member of the ampache team and are waiting to hear back 3 months ago
We have contacted a member of the ampache team and are waiting to hear back 3 months ago
lachlan validated this vulnerability 3 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
lachlan
3 months ago

Maintainer


i've put enable and disable behind confirmation dialogs now with https://github.com/ampache/ampache/commit/bcdd8bb86dcaec87248071aa5ebeacf73c20932c

lachlan confirmed that a fix has been merged on bcdd8b 3 months ago
lachlan has been awarded the fix bounty