CSRF in all endpoints of /lib/ajax.php by Changing the request method to GET in froxlor/froxlor


Reported on

Jan 30th 2023


I have found a CSRF in all the request in /lib/ajax.php by changing the request to GET and the page is also get errors. So user cannot use any function on the page

Proof of Concept

1. Go to https://demo.froxlor.org/ and login as any user. ie. admin
2. Now open https://demo.froxlor.org/lib/ajax.php?action=updatetablelisting&listing=mysqlserver_list&theme=Froxlor&columns%5Bcaption%5D=caption&columns%5Bhost%5D=host&columns%5Bport%5D=port
3. Then go to https://demo.froxlor.org/admin_admins.php?page=admins
4. You can see the updated columns
5. Then change the column name to unknown ie; https://demo.froxlor.org/lib/ajax.php?action=updatetablelisting&listing=mysqlserver_list&theme=Froxlor&columns%5Bcaption%5D=caption123
6. Then go to https://demo.froxlor.org/admin_admins.php?page=admins and you can see the errors only and due to frontend content changed user difficult to access the function in current page

Video POC: https://drive.google.com/file/d/1-_i7XDSiBIjVIZvZgiCrnh4F9Hjg6GH7/view?usp=share_link


CSRF in all the request in /lib/ajax.php

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
froxlor/froxlor maintainer has acknowledged this report 2 months ago
Michael Kaufmann validated this vulnerability 2 months ago
Dinesh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
2 months ago


Any update on this?

Michael Kaufmann marked this as fixed in 2.0.11 with commit 4003a8 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 25th 2023
Michael Kaufmann published this vulnerability a month ago
to join this conversation