Emlog Cross-Site Request Forgery Vulnerability in Asynchronous Media Deletion

A cross-site request forgery (CSRF) vulnerability has been identified in Emlog versions through 2.6.6. The issue arises in the 'delete_async' action of the media management feature, where the absence of a CSRF token validation allows for unauthorized deletion of media files. This vulnerability is located in the 'admin/media.php' file, specifically between lines 146 and 150.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of media files by bypassing CSRF protections.

Reproduction

To reproduce this vulnerability, send a POST request to 'admin/media.php' with the 'action' parameter set to 'delete_async' and the 'aid' parameter set to the ID of the media file to be deleted. The absence of a CSRF token validation will result in the media file being deleted without authorization. This vulnerability can be exploited by crafting a malicious webpage that sends such requests automatically, deleting multiple media files in sequence.

Remediation

To address this vulnerability, add a CSRF token validation by including a call to 'LoginAuth::checkToken()' in the 'delete_async' action before processing the media deletion.