Kanboard Path Traversal Vulnerability in Task File Upload API Allowing Arbitrary File Write

A path traversal vulnerability has been identified in Kanboard's Task File Upload API, prior to version 1.2.47. The issue arises because the 'createTaskFile' method does not validate the 'task_id' parameter or check for path traversal. This oversight allows a malicious actor to write files to any location within the user's controlled system. While the impact is somewhat mitigated by the fact that filenames are hashed and lack extensions, the vulnerability could still be exploited to execute harmful scripts, particularly in manual installations outside of Docker.

Impact

Exploitation of this vulnerability could lead to arbitrary file writes, with the potential for executing malicious scripts, especially in non-Docker environments.

Reproduction

To reproduce this vulnerability, upload a file using the 'createTaskFile' method in the Task File Upload API. Bypass the task ID validation by using a traversal sequence in the 'task_id' parameter, such as '../../../plugins', and include a PHP reverse shell payload in the 'blob' parameter. The file will be written to the specified location, and if the Kanboard instance is not running in Docker, the uploaded file could be executed, leading to remote code execution.

Remediation

Users can update to Kanboard version 1.2.47 or later, where this vulnerability has been patched.