Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Valid

Reported on

Nov 16th 2021


Description

CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form)

Proof of Concept

GET /en/admin/teams/{id}/duplicate
GET /en/admin/project/{id}/duplicate

Impact

This vulnerability is capable of tricking admin users to duplicate teams

Note

This is probably all the unprotected endpoints for duplicate action vulnerable to CSRF, there may be more, but this is what I have found while looking through the files.

Occurences

duplicate project backend

duplicate team backend

duplicate team frontend

duplicate team subscriber

duplicate project frontend

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. 12 days ago
haxatron modified their report
12 days ago
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 11 days ago
Kevin Papst validated this vulnerability 10 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst confirmed that a fix has been merged on b28e9c 10 days ago
Kevin Papst has been awarded the fix bounty
actions.html.twig#L1L15 has been validated
actions.html.twig#L1L15 has been validated
TeamSubscriber.php#L36L39 has been validated
TeamController.php#L87L102 has been validated
Kevin Papst
10 days ago

Maintainer


Thanks @haxatron, I found and fix two more duplicate actions with the same problem :-)

Kevin Papst
10 days ago

Maintainer


Credits, see new release https://github.com/kevinpapst/kimai2/releases/tag/1.16.2

haxatron
9 days ago

Researcher


Thanks, but I think the two other duplicate actions did not duplicate the object before redirecting to the form unlike duplicate project and team I have reported here, so there was no need for the CSRF protection on the two other duplicate actions. :-)

Kevin Papst
9 days ago

Maintainer


Yeah, that was a late night mistake and is already reverted ... having two CSRF protections on one form is probably too much :D

Jamie Slome
9 days ago

Admin


CVE published! 🎊