Admidio Unauthenticated Access to Role-Restricted Documents Vulnerability

A vulnerability in Admidio versions 5.0.0 prior to 5.0.8 allows unauthenticated access to role-restricted documents. The issue arises because the Docker image's Apache configuration ignores .htaccess files, which are intended to deny direct HTTP access to uploaded documents. As a result, files uploaded to the documents module are accessible over HTTP without authentication, regardless of the role-based permissions set in the user interface. The vulnerability has been patched in version 5.0.8.

Impact

This vulnerability bypasses role-based access control on the documents module, allowing any uploaded file to be accessed publicly without authentication. Sensitive organizational documents could be exposed to anyone who knows or can guess the file path, which is disclosed in the upload response JSON.

Reproduction

To reproduce this vulnerability, upload a file to a folder restricted to the Administrator role. The upload response will include a direct URL to the file, which can then be accessed without authentication, despite the folder's role restrictions.

Remediation

Users are advised to update to Admidio version 5.0.8 or later. Alternatively, .htaccess overrides can be enabled in the Apache configuration, uploaded files can be moved outside the web root and served through Admidio's download handler, or an explicit deny can be set at the Apache level for the upload directory.