Get based CSRF on Reset OP Cache functionality in froxlor/froxlor

Valid

Reported on

Dec 31st 2022


Description

The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can see already has the CSRF protection implemented.

Proof of Concept

  • Login as admin (but right now it also works with reseller user)
  • Open this link: https://v2.demo.froxlor.org/admin_opcacheinfo.php?page=showinfo&action=reset

You will see the 302 status code and then, the page redirects to the overview page, as intended.

Impact

With this vulnerability, an attacker can trick the admin or reseller user to reset the OPCache just sending the link (if he has change_serversettings to 1)

We are processing your report and will contact the froxlor team within 24 hours. 9 days ago
Michael Kaufmann validated this vulnerability 9 days ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit f7f356 9 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Michael Kaufmann published this vulnerability 9 days ago
to join this conversation