Admidio Path Traversal Vulnerability in Documents Module Allows Arbitrary File Read

A path traversal vulnerability has been identified in Admidio versions prior to 5.0.9. The issue arises in the documents module, specifically within the 'add' mode of 'modules/documents-files.php'. The vulnerability allows low-privileged attackers to exploit unvalidated 'name' parameters, bypassing security measures and enabling the registration of arbitrary server files into accessible documents folders. This exploitation is facilitated by the lack of Cross-Site Request Forgery (CSRF) protection on the endpoint and the use of SameSite=Lax session cookies, which together create a window for social engineering attacks.

Impact

Exploitation of this vulnerability allows for arbitrary file reading on the server, with a particular focus on files containing sensitive information, such as database credentials. The vulnerability also poses a risk of unauthorized file access through the application's document management system.

Reproduction

To reproduce this vulnerability, a regular user account with access to the documents module is required. First, obtain a public folder UUID by listing the contents of the documents module. Then, craft a link that exploits the path traversal vulnerability by targeting a sensitive file, such as 'install/config.php', and include the crafted link in a message to a documents administrator. When the administrator clicks the link, the file will be registered in a folder accessible to the attacker. Finally, the attacker can retrieve the file through the application's file download functionality.

Remediation

Users are advised to update to Admidio version 5.0.9, which addresses this vulnerability by implementing proper input validation, adding CSRF protection to the 'add' mode, and incorporating path canonicalization checks.