Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Reported on
Nov 16th 2021
Description
CSRF related to duplicate action. (the duplication occurs first before redirecting to edit form)
Proof of Concept
GET /en/admin/teams/{id}/duplicate
GET /en/admin/project/{id}/duplicate
Impact
This vulnerability is capable of tricking admin users to duplicate teams
Note
This is probably all the unprotected endpoints for duplicate action vulnerable to CSRF, there may be more, but this is what I have found while looking through the files.
Occurrences
ProjectController.php L427L432
duplicate project backend
TeamController.php L87L102
duplicate team backend
actions.html.twig L1L15
duplicate team frontend
TeamSubscriber.php L36L39
duplicate team subscriber
actions.html.twig L1L15
duplicate project frontend
Thanks @haxatron, I found and fix two more duplicate actions with the same problem :-)
Credits, see new release https://github.com/kevinpapst/kimai2/releases/tag/1.16.2
Thanks, but I think the two other duplicate actions did not duplicate the object before redirecting to the form unlike duplicate project and team I have reported here, so there was no need for the CSRF protection on the two other duplicate actions. :-)
Yeah, that was a late night mistake and is already reverted ... having two CSRF protections on one form is probably too much :D
