Cross-site request forgery (CSRF) vulnerability in admBase/login.page in the Admin module in JForum allows remote attackers to hijack the authentication of administrators for requests that change the user group permissions of arbitrary users via a groupsSave action.
JForum's Admin module is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to remotely hijack administrator sessions. This vulnerability enables attackers to modify user group permissions, potentially granting themselves or other users elevated privileges and complete control of the forum. Successful exploitation can lead to complete system compromise and data breaches.
Step 1: Victim Login: An administrator logs into the JForum instance.
Step 2: Attacker Crafting: The attacker crafts a malicious HTML page or email containing a hidden form or JavaScript that automatically submits a request to the vulnerable groupsSave action.
Step 3: Payload Delivery: The attacker lures the administrator to visit the malicious page or opens the malicious email.
Step 4: Request Execution: The administrator's browser, while still authenticated to JForum, silently submits the crafted request to the groupsSave action.
Step 5: Permission Modification: The groupsSave action, lacking CSRF protection, processes the request and modifies the user group permissions of the targeted user (e.g., the attacker's account) or other users as specified in the crafted request.
Step 6: Privilege Escalation: The attacker, now with elevated privileges, can access sensitive data, modify forum content, or potentially gain complete control of the server.
The vulnerability stems from a lack of CSRF protection in the admBase/login.page within the Admin module of JForum. Specifically, the groupsSave action, responsible for modifying user group permissions, does not validate the origin of the request. This allows an attacker to craft a malicious request that, when executed by a logged-in administrator, modifies user group memberships without the administrator's explicit consent. The root cause is the absence of a CSRF token or other mechanism to verify the request's authenticity, leading to a request forgery vulnerability. The server trusts any request, regardless of its origin, as long as it's from a logged-in administrator.