Admidio Forum Module Missing Authorization Vulnerability Allowing Unauthorized Deletion of Topics and Posts

A vulnerability exists in the forum module of Admidio versions 5.0.0 through 5.0.6, where the deletion of forum topics and posts is not properly authorized. The 'topic_delete' and 'post_delete' actions in 'forum.php' only check the CSRF token but fail to verify if the user has the right to delete the content. This allows any authenticated user with forum access to delete any topic, along with all its posts, or any individual post by knowing its UUID, which is publicly visible. This vulnerability contrasts with the save/edit operations, which correctly validate permissions.

Impact

Exploitation of this vulnerability allows any logged-in user to permanently delete any forum topic or post, bypassing authorization checks. This leads to unauthorized destruction of forum content, including posts created by administrators or other authorized users, with no possibility of recovery except from database backups.

Reproduction

To reproduce this vulnerability, an authenticated user with forum access can delete topics or posts by sending a POST request to 'forum.php' with the 'topic_delete' or 'post_delete' mode, including the UUID of the topic or post and a valid CSRF token. The deletion will be processed successfully, without any authorization checks being applied.

Remediation

Users are advised to update to Admidio version 5.0.7, which addresses this vulnerability by implementing the necessary authorization checks for deleting forum topics and posts.