Admidio Missing Authorization and CSRF Protection Vulnerability in Documents and Files Module Allowing Unauthenticated Deletion

A vulnerability exists in the Admidio user management solution, specifically in versions 5.0.0 through 5.0.6, within the documents and files module. The issue arises because the module fails to verify whether users have the necessary permissions to delete folders or files. The deletion action handlers for folders and files only perform a VIEW authorization check before executing the delete function, and they do not validate CSRF tokens. This oversight allows deletion to be triggered by a simple HTTP GET request. When the module is public and a folder is marked as such, an unauthenticated attacker can permanently delete the entire document library. Even logged-in users with view-only access can delete content they are allowed to read.

Impact

Exploitation of this vulnerability leads to unauthorized and permanent deletion of documents and folders. In public mode, an unauthenticated attacker can delete any or all documents. When the module is members-only, a logged-in user with view rights can delete files, bypassing upload restrictions. The deletion is irreversible, with the only recovery option being a backup.

Reproduction

To reproduce this vulnerability, first ensure the Admidio documents and files module is enabled and set to public mode. Then, identify a public folder to delete by fetching the public document list. Once the folder UUID is obtained, send a GET request to the folder deletion endpoint with the UUID included. The response should confirm the deletion, which will permanently remove the folder and all its contents from the database and filesystem.

Remediation

Users can update to Admidio version 5.0.7 or later, where this vulnerability has been fixed.