Kanboard Username Enumeration and Brute-Force Protection Bypass Vulnerability

A vulnerability in Kanboard prior to version 1.2.46 allows for username enumeration and bypassing of IP-based brute-force protections. This issue arises because the application only presents a CAPTCHA challenge after three failed login attempts for existing users. In contrast, non-existent usernames do not trigger a CAPTCHA, creating an opportunity for attackers to identify valid usernames by exploiting this inconsistency. Additionally, Kanboard's reliance on unvalidated HTTP headers for IP address detection enables attackers to spoof their IP, circumventing rate limits and evading security measures like Fail2Ban. As a result, organizations with publicly accessible Kanboard instances, particularly those using IP-based protections, are at increased risk of brute-force or credential stuffing attacks.

Impact

Exploitation of this vulnerability allows for effective username enumeration and the circumvention of IP-based rate limiting and blocking, increasing the risk of brute-force attacks on user accounts.

Reproduction

To reproduce this vulnerability, first log in to a Kanboard instance and attempt to log in with a valid username and incorrect password. After three failed attempts, a CAPTCHA will appear. Next, try logging in with a username that does not exist. No CAPTCHA will be displayed, confirming the username enumeration vulnerability. To exploit the IP spoofing aspect, send login requests with spoofed IP addresses using unvalidated HTTP headers, bypassing Kanboard's brute-force protections and evading Fail2Ban.

Remediation

Users can update to Kanboard version 1.2.46 or later, where this vulnerability has been patched.