Get based CSRF on Reset OP Cache functionality in froxlor/froxlor
Dec 31st 2022
The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can see already has the CSRF protection implemented.
Proof of Concept
- Login as admin (but right now it also works with reseller user)
- Open this link: https://v2.demo.froxlor.org/admin_opcacheinfo.php?page=showinfo&action=reset
You will see the
302 status code and then, the page redirects to the overview page, as intended.
With this vulnerability, an attacker can trick the admin or reseller user to reset the OPCache just sending the link (if he has
change_serversettings to 1)