Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by nexxp66 - 16.07.2026
Last edited by cbay - 17.07.2026

FS#414 - Cross-Site Request Forgery (CSRF) Allows Displaying Another User's Domain Zone File

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Display Zone File functionality.

The application does not properly validate whether the Display Zone File request is initiated by the authenticated user. By creating a malicious CSRF proof-of-concept (PoC) and replacing the domain_id with the victim's domain ID, an attacker can force the victim's authenticated browser to execute the Display Zone File request without the victim's knowledge or interaction.

This allows unauthorized actions to be performed on behalf of authenticated users.

## CVSS v3.1

Base Score: 4.5 (MEDIUM)

Steps to Reproduce

Log in with an attacker account.
Navigate to the Domain section.
Ensure at least one domain is present.
Go to Domain Settings → DNS Records.
Open another browser/private window and log in as a victim.
Ensure at least one domain is present in the victim account.
Return to the attacker account.
Trigger the Display Zone File functionality.
Capture the Display Zone File request using Burp Suite.
Use Burp Suite Engagement Tools to generate a CSRF PoC.
Save the generated HTML file.
Replace the attacker's domain_id with the victim's domain_id.
Open the modified PoC in the victim's authenticated browser.
Click Submit.
Observe that the victim's Display Zone File is opened successfully without the victim intentionally initiating the action.

Expected Behavior

The application should validate that the Display Zone File request was intentionally initiated by the authenticated user and should reject cross-origin forged requests without proper CSRF validation.

Actual Behavior

The application accepts the forged CSRF request and executes the Display Zone File action using the victim's active session without requiring any additional verification.

Impact

An attacker can force authenticated users to execute the Display Zone File action without their knowledge.

This may allow unauthorized exposure of domain DNS zone information and sensitive configuration details through the victim's active session.

Closed by  cbay
17.07.2026 12:13
Reason for closing:  Invalid
Admin
cbay commented on 17.07.2026 07:20

Hello,

It seems to be from your video that you're only getting the zone file from the current session.

If you really believe you can fetch any zone, please post the zone file for domain ID 428.

Kind regards,
Cyril

Hello,

The PoC demonstrates that the request is executed using the victim's authenticated session.

The domain ID (428) you provided does not exist in my test account, which is why it was not fetched during my testing. The zone file returned depends on the `domain_id` provided in the request and whether that domain exists within the authenticated account.

If you test the same CSRF PoC while logged into an account that contains domain ID 428, the forged request will fetch that zone file using your authenticated session.

CSRF does not allow an attacker to directly fetch or access any user's private files or data through another user's session.

The impact of CSRF is that an attacker can force actions to be performed using the victim's authenticated session without the victim's intention, such as opening files, refreshing logs, restarting services, performing updates/deletions, changing email addresses, modifying cart items, or triggering other authenticated functionalities.

Admin
cbay commented on 17.07.2026 10:47

CSRF concerns state-changing operations, which is not the case here.

I understand your point. For the zone file open functionality, I agree that the impact is low because CSRF does not allow the attacker to directly access or read the file contents.

However, it still allows an attacker to force an authenticated user to open a zone file within their session without the user's intention.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing