We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

we can still send the photo as greeting card even the albums is locked in admidio/admidio

Valid

Reported on

Jun 5th 2023

1 admin create a album and upload a photo

2 member-1 login and send the photo as greeting card to member-2

3 member-1 use burpsuite hijack the request, which can be like

POST /adm_program/modules/ecards/ecard_send.php HTTP/1.1
....
admidio-csrf-token=5MWloNNqzipYc1YKQVvW2pDMkSBmn7&submit_action=&photo_uuid=bb7538ba-6d68-443d-b769-dddac4aa3021&photo_nr=1&ecard_template=postcard.tpl&ecard_recipients%5B%5D=4&ecard_message=%3Cp%3Etest%3C%2Fp%3E%0D%0A&btn_ecard_submit=

4 admin lock the album, The album is currently locked and will not be shown to visitors for this reason.

5 however, user1 repeat the request and find that the photo is sent successfully.

Impact

Sensitive information disclosure

Even the album is locked, i.e none else can see the photos, we can visit thses photos by the email sent by API ecard_send.

We are processing your report and will contact the admidio team within 24 hours. 4 months ago
lujiefsi modified the report
4 months ago
lujiefsi modified the report
4 months ago
We have contacted a member of the admidio team and are waiting to hear back 4 months ago
lujiefsi modified the report
3 months ago
Markus Faßbender validated this vulnerability 3 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.9 with commit 3d8baf 3 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jun 18th 2023
Markus Faßbender published this vulnerability 3 months ago
to join this conversation