Intelligence
criticalVulnerabilityActive

Admidio Authorization and CSRF Bypass on Document Deletion

Admidio's documents-files module fails to enforce DELETE authorization and CSRF protection, allowing unauthenticated users to permanently destroy document libraries when public access is enabled, or allowing authenticated read-only users to delete content they cannot modify.

S
Sebastion

Affected

Admidio/admidio

Vulnerability Description

The documents-files module in Admidio exhibits a critical authorization control gap. The vulnerability chain involves three distinct flaws: (1) Authorization bypass — the module only validates VIEW permissions via getFolderForDownload() and getFileForDownload() before deletion, without checking explicit DELETE rights; (2) Missing CSRF token validation — the deletion actions lack state-changing request forgery protection; (3) GET-based state mutation — UUIDs are extracted from $_GET parameters, allowing deletion via simple HTTP GET requests. The root cause is incomplete permission model enforcement during destructive operations.

Proof-of-Concept Significance

This PoC is high-fidelity because it demonstrates a complete exploitation path: when documents_files_module_enabled = 1 (public mode), the access control check at lines 72-76 permits unauthenticated requests to reach action handlers. Combined with no CSRF token requirement and GET-parameter mutation, an attacker can craft a single HTTP GET request to delete folders/files. The precondition is minimal—just public module availability. Even in restricted deployments, any authenticated user with view-only access becomes a threat to the entire document tree. This is reliably exploitable because it relies on fundamental control-flow flaws, not edge cases.

Detection Guidance

Log Indicators:

  • HTTP GET requests to /modules/documents-files.php with action=folder_delete or action=file_delete parameters
  • Rapid sequences of deletion actions from a single IP/session
  • DELETE actions from users whose role lacks explicit DELETE permissions in audit logs
  • HTTP requests lacking valid CSRF tokens in state-change actions

Signature patterns:

  • Regex: documents-files\.php.*action=(folder|file)_delete.*uuid=[a-f0-9-]+
  • Monitor for GET requests modifying state (folder/file deletion endpoints)

YARA-style detection: Search access logs for documents-files.php requests with fold_delete or file_delete actions paired with GET method and absence of POST/CSRF tokens.

Mitigation Steps

  1. Immediate: Disable public documents-files module access (documents_files_module_enabled = 2) until patched
  2. Code fix required:
    • Replace VIEW-only permission checks with explicit DELETE permission validation before delete() calls
    • Implement CSRF token validation using framework CSRF utilities for all state-changing actions
    • Move deletion parameters to POST body instead of $_GET and validate via POST-only handlers
    • Add role-based access control (RBAC) checks: verify user roleid has DELETE permission on target folder/file
  3. Hardening: Implement rate-limiting on deletion endpoints; add audit logging for all deletion attempts; consider soft-delete with recovery window

Risk Assessment

Likelihood of wild exploitation: VERY HIGH. The barrier to exploitation is a single HTTP GET request; no authentication required in public mode; highly automated. Organizations using Admidio's public document sharing are at immediate risk of permanent data loss.

Threat actor interest: CRITICAL. Ransomware groups, competitors, and disgruntled insiders have strong motivation to destroy documents. This is a one-click wiper vulnerability.

Threat context: Any user with Admidio instance visibility can test this vulnerability. Scanners will trivially identify vulnerable instances. The lack of CSRF and authorization-only-on-read creates an exceptionally low operational security cost for attackers.

Sources

pocauthorization-bypasscsrf-protection-missingprivilege-escalationdata-destructionhttp-get-mutation
Back to intelligence