Admidio Cross-Site Request Forgery Vulnerability in Role Management Actions

A cross-site request forgery (CSRF) vulnerability has been identified in Admidio versions 5.0.0 through 5.0.6. The issue arises in the role management module, specifically within the 'delete', 'activate', and 'deactivate' actions, which fail to validate CSRF tokens. This lack of validation allows an attacker to exploit the vulnerability by embedding a forged POST request in an external page, targeting users with role assignment rights to unintentionally delete or modify organizational roles. The deletion of roles is permanent and disrupts all associated memberships and rights, while deactivating a role silently removes access from group members without deleting the role itself.

Impact

Exploitation of this vulnerability allows for permanent deletion of roles and associated data, mass revocation of memberships and access rights, or unauthorized activation or deactivation of groups.

Reproduction

To reproduce this vulnerability, first collect role UUIDs from the public 'cards' view of the groups-roles module, which does not require authentication. Then, embed a forged POST request to the 'groups_roles.php' file, specifying the 'delete', 'activate', or 'deactivate' mode and the targeted role UUID. The request can be sent without a CSRF token, taking advantage of the server's failure to validate it for these actions. When a user with the 'rol_assign_roles' right visits the page with the embedded form, the targeted role is modified or deleted without their consent.

Remediation

Users are advised to update to Admidio version 5.0.7, which addresses this vulnerability by implementing proper CSRF token validation in the affected role management actions.