Admidio Unrestricted File Upload Vulnerability in Documents & Files Module Allowing Remote Code Execution

A critical unrestricted file upload vulnerability has been identified in Admidio versions 5.0.6 and prior, within the Documents & Files module. This vulnerability arises from a design flaw in the `UploadHandlerFile.php`, where the validation of CSRF tokens and file extensions interact improperly. An authenticated user with upload permissions can exploit this by submitting an invalid CSRF token, bypassing file extension restrictions. This allows the upload of arbitrary file types, including PHP scripts, which could be executed on the server, leading to a full server compromise, data exfiltration, and lateral movement. The vulnerability has been patched in version 5.0.7.

Impact

Exploitation of this vulnerability allows authenticated users with upload permissions to bypass file extension validations, upload malicious scripts such as PHP web shells, and execute them on the server. This could result in a complete compromise of the server, unauthorized access to sensitive data, and potential lateral movement within the network.

Reproduction

To reproduce this vulnerability, log into Admidio as a user with upload rights in the Documents & Files module. Intercept the file upload request using a proxy tool like Burp Suite. Replace the CSRF token with an invalid value and upload a PHP file disguised as a different file type. After forwarding the request, the server will accept the upload despite the invalid token. The uploaded file can then be accessed and executed, confirming the successful exploitation of the vulnerability.

Remediation

Users are advised to update to Admidio version 5.0.7, where this vulnerability has been fixed.