Get based CSRF on Reset OP Cache functionality in froxlor/froxlor


Reported on

Dec 31st 2022


The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can see already has the CSRF protection implemented.

Proof of Concept

  • Login as admin (but right now it also works with reseller user)
  • Open this link:

You will see the 302 status code and then, the page redirects to the overview page, as intended.


With this vulnerability, an attacker can trick the admin or reseller user to reset the OPCache just sending the link (if he has change_serversettings to 1)

We are processing your report and will contact the froxlor team within 24 hours. a year ago
Michael Kaufmann validated this vulnerability a year ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit f7f356 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation