GHSA-7fh7-8xqm-3g88

Summary

Admidio relies on adm_my_files/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently ignore all .htaccess files. As a result, any file uploaded to the documents module regardless of the role-based permissions configured in the UI, is directly accessible over HTTP without authentication by anyone who knows the file path. The file path is disclosed in the upload response JSON.

---

Root Cause

File 1: Intended protection (ignored):
adm_my_files/.htaccess

Require all denied

<img width="408" height="403" alt="imagen" src="https://github.com/user-attachments/assets/95f0d389-a1a9-4dc4-9840-7f189d2c58ff" />

File 2: Apache config that neutralizes it:

• Command in order to search in Docker container: docker exec admidio-sec-app cat /etc/apache2/apache2.conf

/etc/apache2/apache2.conf (Docker image)

<Directory ${APACHE_DOCUMENT_ROOT}>
    AllowOverride None
</Directory>

<img width="492" height="328" alt="imagen" src="https://github.com/user-attachments/assets/2f2e09b1-0c2e-4932-8698-a40f6b92e917" />

AllowOverride None instructs Apache to skip .htaccess processing entirely, the deny rule never executes. The upload directory is inside the web root at /opt/app-root/src/adm_my_files/ and returns HTTP 200 for direct requests.

File 3: Upload response leaks the direct URL: system/file_upload.php, upload response JSON:

<img width="1528" height="624" alt="imagen" src="https://github.com/user-attachments/assets/50e66fde-ff41-4efa-adc9-ceeb5b23a97d" />

{
  "files": [{
    "name": "sensitive_poc.txt",
    "url": "http://TARGET/adm_my_files/documents_research/TEST-SENSITIVE/sensitive_poc.txt"
  }]
}

Verified PoC

Step 1: Admin creates a restricted folder (visible only to Administrator role):

modules/documents-files.php → permissions set to role...