Kanboard Authenticated SQL Injection Vulnerability Allowing Database Dump

An authenticated SQL injection vulnerability has been identified in Kanboard versions prior to 1.2.51. This vulnerability allows attackers with permission to add users to a project to manipulate SQL queries and extract the entire database. The issue arises in the ProjectPermissionController, where the 'external_id_column' POST parameter is not properly validated, enabling SQL injection that can be exploited using tools like SQLMap.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential to dump the entire Kanboard database. Additionally, this vulnerability could be chained with privilege escalation by accessing sensitive information, such as an admin user's API key, and using it to modify account roles.

Reproduction

To reproduce this vulnerability, an authenticated user with permission to add users to a project must send a POST request to the 'ProjectPermissionController' with a crafted 'external_id_column' parameter. This parameter can be manipulated to bypass SQL injection protections, allowing the attacker to inject malicious SQL payloads that SQLMap can exploit to extract database information. A Python script is also available to automate the extraction of an admin API key and escalate privileges by changing the attacker's role to admin.

Remediation

Users are advised to update Kanboard to version 1.2.51 or later, where this vulnerability has been patched.