Cross-site request forgery (CSRF) vulnerability in The Address Book 1.04e allows remote attackers to perform unauthorized actions as other users via unspecified vectors, as demonstrated by deleting arbitrary users via the id parameter in a deleteuser action in users.php.
The Address Book 1.04e suffers from a Cross-Site Request Forgery (CSRF) vulnerability, allowing attackers to execute unauthorized actions, such as deleting users, on behalf of legitimate users. This flaw could lead to account compromise and denial of service, severely impacting the application's integrity and availability.
Step 1: Victim Authentication: A legitimate user logs into The Address Book 1.04e. Their browser stores a valid session cookie.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or a JavaScript snippet that automatically submits a request to users.php with the deleteuser action and the target user's ID.
Step 3: Victim Interaction: The victim, while still logged into The Address Book, visits the attacker's malicious page or opens the malicious email. The browser automatically submits the crafted request to the vulnerable application.
Step 4: Request Execution: Because the application lacks CSRF protection, it processes the attacker's request, using the victim's authenticated session to delete the specified user.
Step 5: User Deletion: The target user is deleted from The Address Book, potentially leading to a denial-of-service or account compromise.
The vulnerability stems from a lack of proper CSRF protection within The Address Book 1.04e. Specifically, the users.php script, which handles user management functions like deletion, fails to validate the origin of incoming requests. Attackers can craft malicious requests, including the id parameter to specify the user to delete, and trick authenticated users into submitting them. The absence of a CSRF token or any other mechanism to verify the request's origin allows attackers to bypass the application's intended security controls. The root cause is a missing check for the Referer header or a unique, per-session token, which would prevent requests originating from a different domain.