GHSA-RMPJ-3X5M-9M5F: Missing Authorization and CSRF in Admidio Document Deletion

Admidio is an open-source user management system written in PHP. The application includes a "Documents and Files" module designed to manage document libraries and file sharing among users. This module exposes various actions through the documents-files.php endpoint, including administrative functions like file and folder deletion.

Versions 5.0.0 through 5.0.6 of Admidio contain a high-severity vulnerability tracked as GHSA-RMPJ-3X5M-9M5F. The software fails to enforce adequate authorization checks and Cross-Site Request Forgery (CSRF) protections within the document management module. This failure allows unauthorized actors to permanently delete files and folders from the application.

The vulnerability stems from a combination of three distinct weaknesses: Missing Authorization (CWE-862), Cross-Site Request Forgery (CWE-352), and Missing Authentication for Critical Functions (CWE-306). These compound flaws result in a CVSS v3.1 base score of 9.1, reflecting the low attack complexity and the severe impact on data integrity and availability.

The core issue resides in the routing and action handling logic of the modules/documents-files.php script. When the application processes folder_delete and file_delete actions, it retrieves the target UUID from the HTTP GET parameters. The application then attempts to validate the request by calling getFolderForDownload() or getFileForDownload().

These specific validation functions are designed strictly for checking read access. They verify whether the current user (or an anonymous user, if the module is configured in public mode) has permission to view the target file or folder. They do not evaluate whether the user holds the administrative or write permissions required to perform a destructive deletion.

Because the functions return successfully if the file is visible, the execution flow proceeds directly to the delete() method on the object. The application performs no further state validation, role verification, or CSRF token checking. Consequently, any user capable of viewing a document can also delete it.

The vulnerability is exacerbated by insecure default configurations. If the "Documents and Files" module is configured in public mode (documents_files_module_enabled = 1) and a folder is marked public, the read-access check succeeds for unauthenticated sessions. This explicitly satisfies the flawed validation logic, granting unauthenticated actors complete deletion capabilities.

An examination of the vulnerable codebase reveals the structural failure in access control. The documents-files.php handler processes the folder_delete action by instantiating a Folder object and invoking getFolderForDownload($getFolderUUID). This function is mapped to read-only permissions and returns without error if the folder is publicly accessible or explicitly shared with the current user.

Immediately following this read-only validation, the application invokes the $folder->delete() method. The handler accepts the input directly from the $_GET array and does not require a POST body or an anti-forgery token.

case 'folder_delete':
    if ($getFolderUUID === '') {
        throw new Exception('SYS_INVALID_PAGE_VIEW');
    } else {
        $folder = new Folder($gDb);
        // Flawed validation: Only checks VIEW permissions
        $folder->getFolderForDownload($getFolderUUID);
 
        // Destructive action executes without DELETE permission or CSRF token checks
        $folder->delete();
        echo json_encode(array('status' => 'success'));
    }
    break;

The remediation in version 5.0.7 fundamentally restructures this handler. The patched version enforces a strict HTTP POST requirement and mandates the presence of a valid CSRF token. Additionally, it implements explicit role-based access control, requiring the user to hold either global administrative rights for the module or specific upload/write permissions for the target folder.

case 'folder_delete':
    // CSRF token validation enforced
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    
    if ($getFolderUUID === '') {
        throw new Exception('SYS_INVALID_PAGE_VIEW');
    } else {
        $folder = new Folder($gDb);
        $folder->getFolderForDownload($getFolderUUID);
        
        // Explicit access control check for deletion rights
        if (!$gCurrentUser->isAdministratorDocumentsFiles() && !$folder->hasUploadRight()) {
            throw new Exception('SYS_NO_RIGHTS');
        }
        
        $folder->delete();
        echo json_encode(array('status' => 'success'));
    }
    break;

Exploitation of GHSA-RMPJ-3X5M-9M5F requires low complexity and zero specific network positioning beyond reachability to the web server. Attackers leverage the flaw using standard HTTP clients. The most direct exploitation scenario involves unauthenticated folder deletion when the module operates in public mode. An attacker enumerates folder UUIDs using the mode=list endpoint, then issues a single GET request to the folder_delete handler with the target UUID.

In environments where public access is disabled, the vulnerability manifests as a privilege escalation vector. A standard user provisioned with read-only access to a specific document repository can bypass the intended restrictions. By passing their valid session cookie alongside the file_delete GET request, the read-only validation check passes, and the application processes the unauthorized deletion.

The lack of CSRF protection introduces a third exploitation vector against administrative users. An attacker can construct a malicious HTML payload containing a hidden image tag targeting the deletion endpoint. If an authenticated administrator views the webpage hosting this payload, their browser automatically executes the GET request, passing their session cookies to the Admidio server and permanently deleting the targeted asset.

<!-- CSRF Payload Example -->
<img src="https://target-admidio.local/adm_program/modules/documents-files.php?mode=folder_delete&folder_uuid=TARGET_UUID" width="1" height="1">

The successful exploitation of this vulnerability results in total loss of data availability and integrity within the affected module. Attackers can permanently destroy files, organizational documents, and directory structures managed by Admidio. The application does not implement a soft-delete or recycle bin mechanism by default, rendering the data loss irreversible without external backups.

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H accurately reflects the severity of the unauthenticated attack path. The lack of prerequisite privileges (PR:N) and user interaction (UI:N) makes the public-mode exploit entirely autonomous. Confidentiality (C:N) remains unaffected, as the vulnerability facilitates data destruction rather than unauthorized data extraction.

Organizations relying on Admidio for critical document storage, membership records, or internal file distribution face significant operational disruption. The CSRF attack vector further expands the threat model, exposing even tightly access-controlled, non-public instances to exploitation via social engineering or embedded payloads.

The vendor addressed GHSA-RMPJ-3X5M-9M5F in Admidio version 5.0.7. Organizations running versions 5.0.0 through 5.0.6 must upgrade immediately to secure their deployments. The patch comprehensively eliminates the vulnerability by enforcing HTTP POST for state-changing operations, mandating CSRF token validation, and implementing strict role verification.

If immediate patching is organizationally prohibited, administrators can mitigate the unauthenticated attack vector by disabling public access to the "Documents and Files" module. Setting documents_files_module_enabled = 0 for public profiles prevents external actors from satisfying the read-only validation check. However, this configuration change does not protect against authenticated privilege escalation or CSRF attacks.

Network defenders can implement web application firewall (WAF) rules to detect and block exploitation attempts. Rules should monitor for HTTP GET requests containing mode=folder_delete or mode=file_delete query parameters traversing the /adm_program/modules/documents-files.php endpoint. Blocking these specific GET requests neutralizes the known attack vectors without impacting normal, patched application functionality.