froxlor

Valid

Reported on

Jan 30th 2023

Description

I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page

Proof of Concept

1. Go to https://demo.froxlor.org/ and login as any user. ie. admin
2. Now open https://demo.froxlor.org/lib/ajax.php?action=updatetablelisting&listing=mysqlserver_list&theme=Froxlor&columns%5Bcaption%5D=caption&columns%5Bhost%5D=host&columns%5Bport%5D=port
3. Then go to https://demo.froxlor.org/admin_admins.php?page=admins
4. You can see the updated columns
5. Then change the column name to unknown ie; https://demo.froxlor.org/lib/ajax.php?action=updatetablelisting&listing=mysqlserver_list&theme=Froxlor&columns%5Bcaption%5D=caption123
6. Then go to https://demo.froxlor.org/admin_admins.php?page=admins and you can see the errors only and due to frontend content changed user difficult to access the function in current page

Video POC: https://drive.google.com/file/d/1-_i7XDSiBIjVIZvZgiCrnh4F9Hjg6GH7/view?usp=share_link

Impact

CSRF in all the request in /lib/ajax.php

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago

We have contacted a member of the froxlor team and are waiting to hear back 2 months ago

A froxlor/froxlor maintainer has acknowledged this report 2 months ago

Michael Kaufmann validated this vulnerability 2 months ago

Dinesh has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Dinesh

commented 2 months ago

Researcher

Any update on this?

Michael Kaufmann marked this as fixed in 2.0.11 with commit 4003a8 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Feb 25th 2023

Michael Kaufmann published this vulnerability a month ago

to join this conversation