- Status Closed
-
Assigned To
cbay - Private
Opened by nexxp66 - 16.07.2026
Last edited by cbay - 17.07.2026
FS#414 - Cross-Site Request Forgery (CSRF) Allows Displaying Another User's Domain Zone File
Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Display Zone File functionality.
The application does not properly validate whether the Display Zone File request is initiated by the authenticated user. By creating a malicious CSRF proof-of-concept (PoC) and replacing the domain_id with the victim's domain ID, an attacker can force the victim's authenticated browser to execute the Display Zone File request without the victim's knowledge or interaction.
This allows unauthorized actions to be performed on behalf of authenticated users.
## CVSS v3.1
Base Score: 4.5 (MEDIUM)
Steps to Reproduce
Log in with an attacker account.
Navigate to the Domain section.
Ensure at least one domain is present.
Go to Domain Settings → DNS Records.
Open another browser/private window and log in as a victim.
Ensure at least one domain is present in the victim account.
Return to the attacker account.
Trigger the Display Zone File functionality.
Capture the Display Zone File request using Burp Suite.
Use Burp Suite Engagement Tools to generate a CSRF PoC.
Save the generated HTML file.
Replace the attacker's domain_id with the victim's domain_id.
Open the modified PoC in the victim's authenticated browser.
Click Submit.
Observe that the victim's Display Zone File is opened successfully without the victim intentionally initiating the action.
Expected Behavior
The application should validate that the Display Zone File request was intentionally initiated by the authenticated user and should reject cross-origin forged requests without proper CSRF validation.
Actual Behavior
The application accepts the forged CSRF request and executes the Display Zone File action using the victim's active session without requiring any additional verification.
Impact
An attacker can force authenticated users to execute the Display Zone File action without their knowledge.
This may allow unauthorized exposure of domain DNS zone information and sensitive configuration details through the victim's active session.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
bandicam 2026-07-16 22-17-22-...
Hello,
It seems to be from your video that you're only getting the zone file from the current session.
If you really believe you can fetch any zone, please post the zone file for domain ID 428.
Kind regards,
Cyril
Hello,
The PoC demonstrates that the request is executed using the victim's authenticated session.
The domain ID (428) you provided does not exist in my test account, which is why it was not fetched during my testing. The zone file returned depends on the `domain_id` provided in the request and whether that domain exists within the authenticated account.
If you test the same CSRF PoC while logged into an account that contains domain ID 428, the forged request will fetch that zone file using your authenticated session.
CSRF does not allow an attacker to directly fetch or access any user's private files or data through another user's session.
The impact of CSRF is that an attacker can force actions to be performed using the victim's authenticated session without the victim's intention, such as opening files, refreshing logs, restarting services, performing updates/deletions, changing email addresses, modifying cart items, or triggering other authenticated functionalities.
CSRF concerns state-changing operations, which is not the case here.
I understand your point. For the zone file open functionality, I agree that the impact is low because CSRF does not allow the attacker to directly access or read the file contents.
However, it still allows an attacker to force an authenticated user to open a zone file within their session without the user's intention.