Cross-Site Request Forgery (CSRF) in ampache/ampache


Reported on

Aug 31st 2021

✍️ Description

csrf bug to disable user

🕵️‍♂️ Proof of Concept

I see during disable a user there is no csrf token is checking .
1. First login into admin account .
2. Now copy url http://localhost/ampache-develop/public/admin/users.php?action=disable&user_id=3 and paste in browser tab and hit enter .
Now user will be disabled.

💥 Impact

disable user using csrf bug


We have contacted a member of the ampache team and are waiting to hear back 2 years ago
lachlan validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


i've put enable and disable behind confirmation dialogs now with

lachlan marked this as fixed with commit bcdd8b 2 years ago
lachlan has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation