Cross-site request forgery (CSRF) vulnerability in admin.php in Zenphoto before 1.4.9 allows remote attackers to hijack the authentication of admin users for requests that may cause a denial of service (resource consumption).
Zenphoto versions prior to 1.4.9 are vulnerable to a Cross-Site Request Forgery (CSRF) attack, allowing attackers to potentially hijack administrator sessions and cause a denial-of-service (DoS) condition. This vulnerability enables attackers to execute unauthorized actions on the vulnerable Zenphoto installation, leading to resource exhaustion and potential system compromise. Successful exploitation requires an authenticated admin user to be tricked into visiting a malicious link.
Step 1: Victim Authentication: An administrator logs into the Zenphoto admin panel.
Step 2: Attacker Preparation: The attacker crafts a malicious link or HTML page containing a hidden form or JavaScript that, when loaded by the victim's browser, will send a specially crafted request to admin.php.
Step 3: Payload Delivery: The attacker lures the administrator to click the malicious link or visit a webpage containing the malicious code. This could be through phishing, social engineering, or other means.
Step 4: Request Execution: The victim's browser, still authenticated to the Zenphoto admin panel, automatically submits the crafted request to admin.php. The request is executed with the administrator's privileges.
Step 5: Denial of Service (DoS): The crafted request, due to the lack of CSRF protection, triggers an action that consumes excessive resources, such as attempting to upload a large file or initiating a large number of database queries, leading to a denial-of-service condition.
The vulnerability stems from a lack of proper CSRF protection in the admin.php file of Zenphoto. Specifically, the application fails to validate the origin of requests, allowing an attacker to craft malicious requests that are executed with the privileges of an authenticated administrator. The root cause is the absence of a CSRF token or other mechanism to verify the legitimacy of requests, leading to the acceptance of requests originating from any domain. This allows an attacker to trigger actions that consume resources, such as excessive database queries or file uploads, leading to a denial-of-service condition. The specific logic flaw lies in the lack of origin verification when processing requests within the admin interface.