Emlog Pro Cross-Site Request Forgery Vulnerability in Password Change Endpoint

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Emlog Pro versions through 2.5.19. The issue resides in the password change endpoint, where the absence of effective CSRF protection allows an attacker to manipulate a logged-in administrator into unintentionally submitting a POST request that alters the admin password. This flaw could lead to unauthorized account access for privileged users.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, resulting in admin account takeovers. Such access could be used to further compromise the application by creating new users or altering settings. Additionally, this vulnerability could be chained with other attacks, such as delivering stored Cross-Site Scripting.

Reproduction

To reproduce this vulnerability, an attacker must create a crafted HTML form that includes the new password values and, if applicable, a token parameter (which can be left blank). This form should be hosted on a page controlled by the attacker. When an admin user visits the page while logged into Emlog, the form will automatically submit, changing the admin's password without their consent. The captured request can also be replayed to achieve the same effect.

Remediation

It is recommended to implement strong CSRF protections by using unpredictable tokens that are validated on the server side, require re-authentication for sensitive actions like password changes, and validate 'Origin' or 'Referer' headers to block cross-origin state-changing requests.