Cross-Site Request Forgery (CSRF) in kevinpapst/kimai2
Reported on
Nov 20th 2021
CSRF Set 1 (modify invoice status [Medium severity])
Description
CSRF in saving invoices / modifying status of invoices (pending and cancel only
Proof of Concept
The following state-changing endpoints are vulnerable to CSRF
GET /en/invoice/save-invoice/9/5?searchTerm=&daterange=2021-11-01%20-%202021-11-30&tags=&exported=5&template=5&customers%5B%5D=9
GET /en/invoice/change-status/2/canceled
GET /en/invoice/change-status/2/pending
GET /en/invoice/?createInvoice=true&searchTerm=&daterange=2021-11-01%20-%202021-11-30&tags=&exported=5&template=5 (save all invoices)
Impact
Attackers can trick users to modify status of invoices, potentially disrupting invoice tracking.
CSRF Set 2 (modify search favourites [Low severity])
Description
CSRF in adding / deleting search favorites
Proof of Concept
The following state-changing endpoints are vulnerable to CSRF
GET /en/invoice/?removeDefaultQuery=InvoiceQuery
GET /en/invoice/?searchTerm=&daterange=2021-11-01+-+2021-11-30&tags=&exported=5&template=5&setDefaultQuery=
Impact
Although very low severity, these state-changing actions are CSRF unprotected.
Occurrences
actions.html.twig L1L35
invoice save / pending frontend
index.html.twig L226L234
save all invoices js
InvoiceController.php L153L177
save-invoice backend
AbstractController.php L230L234
removeDefaultQuery backend
InvoiceController.php L184L205
invoice status change (pending / cancel) backend
InvoiceController.php L89L96
save all invoice backend
index.html.twig L215L223
save-invoice js
Sorry for not replying earlier @haxatron. Thanks for your report!
You are right that there is no CSRF protection. am not sure that I agree that this is a problem or even a risk, so I'll leave it open until I find enough time to look into the code. Will keep you updated.
Thank you for the response @maintainer!
I have added 4 more CSRF unprotected state-changing endpoints related to modifying the status of invoices. You may choose to fix whichever endpoints that are detailed in this report.
Again: awesome work @haxatron - I need a litte more time to fix them, but for now I can say that they are all valid.
Thanks for submitting the fix! can confirm its patched. However there is an error in the save-invoice field.
There is a two token parameters in the save-invoice endpoint (eg.
GET /en/invoice/save-invoice/9/5?token=gYcEqImSbT1xMzzTbMfOhYrYzv9PPuZHw2TdbFQ0UbY&searchTerm=&daterange=2021-12-01%20-%202021-12-31&tags=&exported=5&template=5&_token=aROEluLz3_uXLCNpJxnKD--eIqVCqViPkcwehmCNoDA&customers%5B%5D=9
````
It will show an error message
````
Changes could not be saved:
[] This form should not contain extra fields.
````create_invoice seems to be working fine, its just save-invoice
I fixed the "save-invoice" issue. @haxatron if you write me an email I will send you a little "thank you" for all the fantastic feedback!
Thanks for fixing all the issues!
For me, responding and / or fixing these reports are thanks enough! 😉
:D verify generous! Still, the offer stands, so send me a message whenever you want.
Tell me: do you see the "Confirm fix" button as well? Is the idea that I click it (as I did in the past) or do you actually verify the fix and hit that button?