Admidio Cross-Site Request Forgery Vulnerability in Role Membership Date Management

A cross-site request forgery (CSRF) vulnerability has been identified in Admidio, an open-source user management solution, affecting versions 5.0.6 and prior. The issue arises in the 'save_membership' action within 'modules/profile/profile_function.php', where changes to a member's role membership dates are saved without proper CSRF token validation. While other membership-related actions do include CSRF protection, 'save_membership' is excluded, leaving it open to exploitation. This vulnerability allows an attacker to manipulate membership dates for users in roles led by the targeted role leader, potentially terminating access or revoking role-specific features without notification or administrative approval.

Impact

Exploitation of this vulnerability allows for unauthorized manipulation of role membership dates, with the potential to backdate and terminate a member's active status, extend access beyond authorized limits, or revoke access to role-specific features, all without requiring administrative approval.

Reproduction

To reproduce this vulnerability, an attacker can create a webpage that includes a form targeting the 'save_membership' action. This form should be embedded with the necessary membership UUIDs and crafted start and end dates. When a role leader visits the page while logged into Admidio, the form can automatically submit, exploiting the absence of CSRF token validation for that action.

Remediation

Users are advised to update to Admidio version 5.0.7, which addresses this vulnerability by adding the necessary CSRF token validation for the 'save_membership' action.