jflyfox jfinal_cms Cross-Site Request Forgery Vulnerability in Logout Function

A cross-site request forgery (CSRF) vulnerability has been identified in jflyfox jfinal_cms version 5.0.1. The issue arises in the HOME.java file, where the logout method lacks proper CSRF protections. This vulnerability allows attackers to manipulate the logout parameter and initiate a logout action on behalf of the user, without their consent. The vulnerability can be exploited remotely and requires user interaction.

Impact

Exploitation of this vulnerability allows for unauthorized logout actions, potentially leading to session hijacking or disruption of user activities.

Reproduction

To reproduce this vulnerability, capture a logout request that is sent as a GET request without the necessary CSRF token verification. This request can be constructed and sent to any user's avatar URL. Once the request is received, the user will be logged out automatically. This exploitation can be demonstrated by uploading the crafted logout request as a proof-of-concept into the personal settings, which will trigger the logout action when the avatar is viewed.