CSRF on SSL certificates deletion in froxlor/froxlor


Reported on

Nov 4th 2022

📜 Description

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform (using form submissions). It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

In your application, CSRF vulnerability occurs when an administrator click on the malicious link and logs in.

🕵️ Proof of Concept

  1. Send a malicious link or redirect the admin to : https://demo.froxlor.org/index.php?script=admin_domains.php&qrystr=%26page%3Dsslcertificates%26action%3Ddelete%26id%3D1 (id=1).
  2. The admin logs in and automatically delete the SSL certificate with the ID n°1.

🔐 Mitigations

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be:

  • Unpredictable with high entropy, as for session tokens in general.
  • Tied to the user's session.
  • Strictly validated in every case before the relevant action is executed.

Example of an HTML form that uses a CSRF token :

<form action="/profile" method="POST">
    <input type="text" name="name" value="">
    <input type="email" name="email" value="">
    <input type="hidden" name="csrf" value="d192140e2f1db42d60e508731b4095c08447c985c34a3b7a580e88e5c8b1d9a5">

📚 References


In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account.

In your application, the CSRF attack causes a SSL certificate deletion, this can be harmful to the availability of applications.

We are processing your report and will contact the froxlor team within 24 hours. a year ago
We have contacted a member of the froxlor team and are waiting to hear back a year ago
Michael Kaufmann validated this vulnerability a year ago

As one needs to log in as admin, i don't think it's a severity high, will be fixed with next release on 2nd of december

xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


Thank you for validating the report.

The CVSS score of a CSRF sets the "Privileges Required (PR)" to None, because the attacker does not need the admin account but only a "User Interaction (UI)". It's a bit strange but that's how the CVSS score works.

Michael Kaufmann marked this as fixed in with commit 4d454a a year ago
Michael Kaufmann has been awarded the fix bounty
This vulnerability has now been published a year ago
a year ago


Hey @maintainer @admin, could we assign a CVE id ?

a year ago


Xanhacks the maintainer chose not to assign a CVE in this case

to join this conversation