FluxCP Cross-Site Request Forgery Vulnerability Allowing Account Takeover

A critical Cross-Site Request Forgery (CSRF) vulnerability has been identified in FluxCP, a web-based control panel for rAthena servers, prior to version e3f130c. This vulnerability exists in the account module of the FluxCP template used by multiple rAthena/Ragnarok servers. The issue arises because state-changing POST endpoints, such as those for changing email, password, or transferring credits, accept requests authorized only by the session cookie. These endpoints lack per-request anti-CSRF tokens and robust validation of the Origin or Referer headers. As a result, an attacker can lure a logged-in user into performing sensitive actions without their consent.

Impact

Exploitation of this vulnerability could lead to unauthorized account actions, such as email changes (potentially allowing account takeover), forced password resets, and unauthorized transfers of in-game credits or assets.

Reproduction

To reproduce this vulnerability, authenticate with a test account on a FluxCP site instance that uses the vulnerable template. Once logged in, the browser will hold a valid session cookie. From a different origin, initiate a POST request to an affected endpoint, such as the account email change, password change, or credit transfer actions, using the same form parameters expected by the site. If the server processes the request based solely on the session cookie, the endpoint is vulnerable to CSRF.

Remediation

Users should update to FluxCP version e3f130c or later, which addresses the vulnerability by adding proper CSRF token validation and enhancing cookie security.