Admidio User Management Role Removal Vulnerability Leading to Administrative Lockout

A vulnerability in Admidio's user management system prior to version 5.0.9 allows administrators to remove the last remaining admin, locking the system out of administrative access. The issue arises because the 'Role::stopMembership()' function does not check if removing a user would leave zero administrators. This flaw can be exploited by any administrator, without the need for concurrent requests, as sequential removals have the same effect.

Impact

Exploitation of this vulnerability can lead to a total loss of administrative access on the Admidio platform, requiring direct database intervention to restore.

Reproduction

To reproduce this vulnerability, two active administrator accounts are needed. Admin A can remove Admin B from the administrator role using the 'Role::stopMembership()' function, which lacks a minimum-administrator check. Once Admin B is removed, Admin A becomes the sole administrator and cannot remove themselves, but the system is left vulnerable. If both administrators send removal requests for each other, the system can be left with zero administrators, locking out all administrative access.

Remediation

Users are advised to update to Admidio version 5.0.9, which addresses this vulnerability by restoring the necessary checks to prevent the removal of the last administrator.