GHSA-jr9p-4h4j-6c58
Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover
Details
### Summary
The official Kimai Docker image ships with `APP_SECRET=change_this_to_something_unique` as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting `APP_SECRET` runs with a publicly-known Symfony `kernel.secret`, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.
### Details
`Dockerfile:263` sets `ENV APP_SECRET=change_this_to_something_unique`. This value is consumed by `config/packages/framework.yaml:7` as `kernel.secret`, which Symfony uses to HMAC-sign:
- The `KIMAI_REMEMBER` remember-me cookie - LoginLink signatures - Password reset URLs - CSRF tokens
The `.docker/entrypoint.sh` does not check for or replace the default sentinel value. The bare-metal `.env.dist:38` ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when `APP_SECRET` equals the sentinel.
User IDs are sequential integers starting from 1. The first super_admin account is almost always `id=1`. User IDs are visible in some URLs and API responses.
*A PoC was provided, but removed for security reasons.*
### Impact
Any Kimai instance deployed via the official Docker image without overriding `APP_SECRET` can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if: - a username is known AND - the correct account ID for this username is guessed AND - the account has no active 2FA (two factor) authentication
## Solution
- The entrypoint.sh file is updated and now contains a script that generates a random `APP_SECRET` via `bin2hex(random_bytes(32))` which will be stored in `/opt/kimai/var/data/.appsecret` - The entrypoint.sh will create the file `/opt/kimai/.env.local` containing the `APP_SECRET`, either fetched from the Docker Environment or from the newly created secret file - The documentation was updated to highlight the importance of using a random secret for `APP_SECRET` - The Dockerfile removed default `APP_SECRET=change_this_to_something_unique` - Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded `APP_SECRET=change_this_to_something_unique`
See [https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58](https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58) for more information.
Are you affected?
Enter the version of the package you're using.