Kanboard Reverse Proxy Authentication Bypass Vulnerability

A critical authentication bypass vulnerability exists in Kanboard project management software, specifically in versions through 1.2.48, when reverse proxy authentication is enabled. The application fails to properly verify HTTP headers used for user authentication, allowing attackers to impersonate any user, including administrators, by sending spoofed headers. This vulnerability arises because Kanboard blindly trusts these headers without confirming they come from a trusted reverse proxy.

Impact

Exploitation of this vulnerability allows for full administrative access to the Kanboard application, including the ability to access all projects, tasks, and files, and create persistent admin accounts.

Reproduction

To reproduce this vulnerability, enable reverse proxy authentication in Kanboard by setting the 'REVERSE_PROXY_AUTH' configuration option to true and specifying the 'REVERSE_PROXY_USER_HEADER' as 'HTTP_X_REMOTE_USER'. Once this is configured, send a request to the Kanboard dashboard with the spoofed 'X-Remote-User' header set to 'admin'. This will bypass authentication and grant access to the admin dashboard.

Remediation

Users can disable reverse proxy authentication if it is not needed, or if it is required, they should configure an IP-based allowlist of trusted proxy networks. Instructions for setting up this allowlist are available in the Kanboard documentation.