Turms Admin API Cross-Site Request Forgery Vulnerability Allowing Privilege Escalation

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Turms Admin API, specifically in versions through v0.10.0-SNAPSHOT. This vulnerability allows attackers to exploit the absence of CSRF protections in state-changing operations. The Admin API uses HTTP Basic Authentication, which browsers automatically include in cross-origin requests. Without CSRF tokens or SameSite cookie attributes, malicious websites can trigger unauthorized actions while an administrator is logged in. Exploitation could lead to unauthorized administrative actions, such as creating backdoor accounts, modifying system settings, or manipulating user accounts.

Impact

Successful exploitation allows for unauthorized administrative actions, including the creation, modification, or deletion of user accounts, changes to system configurations, and the installation or modification of plugins. Additionally, this vulnerability could be exploited to escalate privileges by manipulating admin accounts.

Reproduction

To reproduce this vulnerability, an attacker must host a malicious webpage that exploits the CSRF flaw. This page can include a hidden form or use JavaScript to send a request to a vulnerable Admin API endpoint, such as one for creating or deleting administrators. The request will automatically include the administrator's HTTP Basic Authentication credentials, bypassing security measures and executing the action with admin privileges.

Remediation

To address this vulnerability, implement CSRF token protection for state-changing operations, add SameSite attributes to cookies if using cookie-based authentication, require custom headers for API requests, and consider additional protections such as re-authentication for critical operations or logging administrative actions for audit purposes.