Admidio Hidden Personal Information Leakage Vulnerability via SQL Search Oracle

A vulnerability in Admidio's member assignment DataTables endpoint (members_assignment_data.php) prior to version 5.0.9 allows role leaders with assign-only permissions to infer hidden personal information. The issue arises because the SQL search condition includes concealed profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) without regard for their visibility settings. Although the JSON output correctly omits hidden columns, the server-side search applies SQL filters before any visibility checks, enabling unauthorized access to sensitive data. This vulnerability has been patched in Admidio version 5.0.9.

Impact

Exploitation of this vulnerability allows for the unauthorized extraction of hidden personal information, including exact birthdates, full street addresses, city and postal code details, and country of residence. This constitutes a blind oracle attack, where the values of hidden fields are never directly displayed, but can be inferred by searching for specific data and analyzing the resulting user names and search result counts.

Reproduction

To reproduce this vulnerability, first log in as a role leader with 'assign-only' permissions. Ensure that the BIRTHDAY field is set to hidden. Then, access the 'members_assignment_data.php' endpoint and perform a search for a specific birthday value. The response will include only those users whose hidden birthday matches the search query, demonstrating how hidden values can be inferred. This method can also be used to extract other hidden information, such as street addresses, by searching for relevant data and observing which users are returned in the results.

Remediation

Users are advised to update to Admidio version 5.0.9, where this vulnerability has been fixed.