Get based CSRF on Reset OP Cache functionality in froxlor/froxlor

Valid

Reported on

Dec 31st 2022

Description

The functionality to reset the OPCache is vulnerable to CSRF. In fact, it would be a good practice to implement a CSRF token in URL if the GET functionality is meant to trigger an action, instead of only retrieving data. Alternatively, it can be turned in a POST request, which I can see already has the CSRF protection implemented.

Proof of Concept

Login as admin (but right now it also works with reseller user)
Open this link: https://v2.demo.froxlor.org/admin_opcacheinfo.php?page=showinfo&action=reset

You will see the 302 status code and then, the page redirects to the overview page, as intended.

Impact

With this vulnerability, an attacker can trick the admin or reseller user to reset the OPCache just sending the link (if he has change_serversettings to 1)

References

https://owasp.org/www-community/attacks/csrf

We are processing your report and will contact the froxlor team within 24 hours. a year ago

Michael Kaufmann validated this vulnerability a year ago

leorac has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit f7f356 a year ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Michael Kaufmann published this vulnerability a year ago

to join this conversation