GHSA-7FH7-8XQM-3G88

Vulnerability from github – Published: 2026-03-31 23:10 – Updated: 2026-03-31 23:10
VLAI?
Summary
Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess
Details

Summary

Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON.

Root Cause

File 1: Intended protection (ignored):
adm_my_files/.htaccess

Require all denied

imagen

File 2: Apache config that neutralizes it:

  • Command in order to search in Docker container: docker exec admidio-sec-app cat /etc/apache2/apache2.conf

/etc/apache2/apache2.conf (Docker image)

<Directory ${APACHE_DOCUMENT_ROOT}>
    AllowOverride None
</Directory>

imagen

AllowOverride None instructs Apache to skip .htaccess processing entirely, the deny rule never executes. The upload directory is inside the web root at /opt/app-root/src/adm_my_files/ and returns HTTP 200 for direct requests.

File 3: Upload response leaks the direct URL: system/file_upload.php, upload response JSON:

imagen

{
  "files": [{
    "name": "sensitive_poc.txt",
    "url": "http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt"
  }]
}

Verified PoC

Step 1: Admin creates a restricted folder (visible only to Administrator role):

modules/documents-files.php → permissions set to role Administrator only.

imagen

Step 2: Admin uploads a file to the restricted folder.

Upload response returns:

http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt

imagen

Step 3: Unauthenticated request retrieves the file:

curl -X GET 'http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt'
# Response: full file contents — no authentication required

imagen

Step 4: Confirm folder is role-restricted:

SELECT fil_name, fol_name, fol_public FROM adm_files JOIN adm_folders ON fil_fol_id = fol_id 
ORDER BY fil_id DESC LIMIT 5; -- fol_public = 0, role restricted — yet file is publicly accessible

Impact

  • Any document uploaded to Admidio including files restricted to specific roles is publicly accessible via direct HTTP request with no authentication required
  • Role-based access control on the documents module is completely bypassed at the filesystem level
  • Sensitive organizational documents (contracts, member data, financial records) are exposed to anyone who can guess or construct the file path
  • The upload API response discloses the direct URL to the uploader, making path enumeration trivial

Recommended Fix

Option 1 (preferred): Enable AllowOverride in Apache config:

<Directory /opt/app-root/src/adm_my_files>
    AllowOverride All
</Directory>

Option 2: Move uploads outside the web root:
Store uploaded files in a directory outside DOCUMENT_ROOT and serve them exclusively through Admidio's download handler (modules/documents-files.php?mode=download), which enforces role checks before serving the file.

Option 3: Apache-level explicit deny (does not require .htaccess):

<Directory /opt/app-root/src/adm_my_files>
    Require all denied
</Directory>

The most robust long-term fix is Option 2 — moving uploads outside the web root eliminates the dependency on Apache configuration correctness entirely.

Reported by: Juan Felipe Oz @JF0x0r

LinkedIn

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:10:03Z",
    "nvd_published_at": "2026-03-31T21:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAdmidio relies on `adm_my_files/.htaccess` to deny direct HTTP access to uploaded documents. The Docker image ships with `AllowOverride None` in the Apache configuration, which causes Apache to silently ignore all `.htaccess` files. As a result, any file uploaded to the\ndocuments module regardless of the _role-based_ permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON.\n\n---\n\n### Root Cause\n\n**File 1: Intended protection (ignored):**  \n`adm_my_files/.htaccess`\n```apache\nRequire all denied\n```\n\u003cimg width=\"408\" height=\"403\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/95f0d389-a1a9-4dc4-9840-7f189d2c58ff\" /\u003e\n\n**File 2: Apache config that neutralizes it:**  \n\n* Command in order to search in Docker container: `docker exec admidio-sec-app cat /etc/apache2/apache2.conf`\n\n`/etc/apache2/apache2.conf` (Docker image)\n```apache\n\u003cDirectory ${APACHE_DOCUMENT_ROOT}\u003e\n    AllowOverride None\n\u003c/Directory\u003e\n```\n\n\u003cimg width=\"492\" height=\"328\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/2f2e09b1-0c2e-4932-8698-a40f6b92e917\" /\u003e\n\n\n`AllowOverride None` instructs Apache to skip `.htaccess` processing entirely, the deny rule never executes. The upload directory is inside the web root at `/opt/app-root/src/adm_my_files/` and returns **HTTP 200** for direct requests.\n\n**File 3: Upload response leaks the direct URL:**  `system/file_upload.php`, upload response JSON:\n\n\u003cimg width=\"1528\" height=\"624\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/50e66fde-ff41-4efa-adc9-ceeb5b23a97d\" /\u003e\n\n```json\n{\n  \"files\": [{\n    \"name\": \"sensitive_poc.txt\",\n    \"url\": \"http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\"\n  }]\n}\n```\n\n### Verified PoC\n\n**Step 1: Admin creates a restricted folder (visible only to Administrator role):**  \n\u003e `modules/documents-files.php` \u2192 permissions set to role `Administrator` only.\n\n\u003cimg width=\"1161\" height=\"784\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/25d81e44-9a7c-4991-b72e-6e664d176695\" /\u003e\n\n**Step 2: Admin uploads a file to the restricted folder.**  \n\u003e Upload response returns:\n```\nhttp://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\n```\n\n\u003cimg width=\"1239\" height=\"294\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/84c1bcd1-47d7-4115-ac0f-653b0a6d7301\" /\u003e\n\n**Step 3: Unauthenticated request retrieves the file:**\n```bash\ncurl -X GET \u0027http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt\u0027\n# Response: full file contents \u2014 no authentication required\n```\n\n\u003cimg width=\"1051\" height=\"150\" alt=\"imagen\" src=\"https://github.com/user-attachments/assets/1ed7fab7-59cb-4d5b-8c60-12108490d1e4\" /\u003e\n\n**Step 4: Confirm folder is role-restricted:**\n```sql\nSELECT fil_name, fol_name, fol_public FROM adm_files JOIN adm_folders ON fil_fol_id = fol_id \nORDER BY fil_id DESC LIMIT 5; -- fol_public = 0, role restricted \u2014 yet file is publicly accessible\n```\n---\n\n### Impact\n\n- Any document uploaded to **Admidio** including files restricted to specific roles is publicly accessible via direct HTTP request with no authentication required\n- **Role-based** access control on the documents module is completely bypassed at the filesystem level\n- Sensitive organizational documents (contracts, member data, financial records) are exposed to anyone who can guess or construct the file path\n- The upload API response discloses the direct URL to the uploader, making path enumeration trivial\n\n### Recommended Fix\n\n**Option 1 (preferred): Enable AllowOverride in Apache config:**\n```apache\n\u003cDirectory /opt/app-root/src/adm_my_files\u003e\n    AllowOverride All\n\u003c/Directory\u003e\n```\n\n**Option 2: Move uploads outside the web root:**  \nStore uploaded files in a directory outside `DOCUMENT_ROOT` and serve them exclusively through Admidio\u0027s download handler (`modules/documents-files.php?mode=download`), which enforces role checks before serving the file.\n\n**Option 3: Apache-level explicit deny (does not require .htaccess):**\n```apache\n\u003cDirectory /opt/app-root/src/adm_my_files\u003e\n    Require all denied\n\u003c/Directory\u003e\n```\n\u003e The most robust long-term fix is Option 2 \u2014 moving uploads outside the web root eliminates the dependency on Apache configuration correctness entirely.\n\n**Reported by:** Juan Felipe Oz [@JF0x0r](https://x.com/PwnedRar_)\n\u003e [LinkedIn](https://www.linkedin.com/in/juanfelipeoz/)",
  "id": "GHSA-7fh7-8xqm-3g88",
  "modified": "2026-03-31T23:10:03Z",
  "published": "2026-03-31T23:10:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-7fh7-8xqm-3g88"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/commit/5f770c1ca81a4f6b02136280cd63316a35aabaaf"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio allows Unauthenticated Access to Role-Restricted documents via neutralized .htaccess"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.