Admidio Missing CSRF Protection in User Registration Approval Actions

A vulnerability exists in Admidio versions prior to 5.0.8, where the user registration approval actions in the registration module lack proper Cross-Site Request Forgery (CSRF) protection. The 'create_user', 'assign_member', and 'assign_user' modes approve registrations via GET requests without validating CSRF tokens. This oversight allows an attacker to exploit the system by tricking an administrator into approving their registration, bypassing the manual approval process. The vulnerability arises because these approval actions read parameters from the GET request and make irreversible changes without any safeguards, unlike the 'delete_user' mode, which correctly validates the CSRF token.

Impact

Exploitation of this vulnerability allows for unauthorized approval of user registrations, bypassing manual review processes. This could lead to unauthorized access to organization membership and associated privileges. Additionally, the 'assign_user' mode could be exploited for account takeover by merging an attacker's registration with an existing user's account.

Reproduction

To reproduce this vulnerability, first, ensure that manual registration approval is enabled. An attacker must submit a registration form to receive a confirmation email containing their user UUID. After the registration is confirmed, the attacker can extract their UUID from the email and create a crafted URL that, when visited by an administrator with the 'rol_approve_users' right, will automatically approve the registration. This can be done by embedding the URL in an image tag, exploiting the lack of CSRF protection.

Remediation

Users can update to Admidio version 5.0.8 or later, where this vulnerability has been patched. For versions prior to 5.0.8, it is recommended to manually validate CSRF tokens in the registration approval actions.