Easy!Appointments Cross-Site Request Forgery Vulnerability Allowing Admin Account Takeover

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Easy!Appointments versions through 1.5.2. The issue arises because the CSRF protection mechanism in 'application/core/EA_Security.php' only applies to POST requests, allowing non-POST methods to bypass validation. This flaw enables attackers to exploit endpoints that perform state-changing operations via GET requests, leading to unauthorized actions such as creating admin accounts or modifying admin credentials. As a result, an attacker could gain full control over an admin account.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery attacks, leading to unauthorized creation or modification of admin accounts and credentials, and full administrative takeover of the application.

Reproduction

To reproduce this vulnerability, an attacker can create a HTML form that sends a GET request to a vulnerable endpoint, such as 'index.php/admins/store' or 'index.php/admins/update'. This form can be automatically submitted when the victim, an authenticated admin, visits the page. The form must include the necessary fields to create or update an admin account, such as name, email, password, and other relevant information. Once the form is submitted, the requested action is performed without the victim's consent, exploiting the CSRF vulnerability.

Remediation

To address this vulnerability, it is recommended to enforce CSRF checks for all request methods, including GET, unless the URI is explicitly whitelisted. Additionally, update application controllers to ensure that all state-changing actions only accept the appropriate HTTP methods, and require re-authentication or confirmation for critical operations such as email or password changes.