Summary
The official Kimai Docker image ships with APP_SECRET=change_this_to_something_unique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APP_SECRET runs with a publicly-known Symfony kernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.
Details
Dockerfile:263 sets ENV APP_SECRET=change_this_to_something_unique. This value is consumed by config/packages/framework.yaml:7 as kernel.secret, which Symfony uses to HMAC-sign:
- The
KIMAI_REMEMBER remember-me cookie
- LoginLink signatures
- Password reset URLs
- CSRF tokens
The .docker/entrypoint.sh does not check for or replace the default sentinel value. The bare-metal .env.dist:38 ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start when APP_SECRET equals the sentinel.
User IDs are sequential integers starting from 1. The first super_admin account is almost always id=1. User IDs are visible in some URLs and API responses.
A PoC was provided, but removed for security reasons.
Impact
Any Kimai instance deployed via the official Docker image without overriding APP_SECRET can be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:
- a username is known AND
- the correct account ID for this username is guessed AND
- the account has no active 2FA (two factor) authentication
Solution
- The entrypoint.sh file is updated and now contains a script that generates a random
APP_SECRET via bin2hex(random_bytes(32)) which will be stored in /opt/kimai/var/data/.appsecret
- The entrypoint.sh will create the file
/opt/kimai/.env.local containing the APP_SECRET, either fetched from the Docker Environment or from the newly created secret file
- The documentation was updated to highlight the importance of using a random secret for
APP_SECRET
- The Dockerfile removed default
APP_SECRET=change_this_to_something_unique
- Login links now contain more entropy (see GHSA-m492-gv72-xvxj) - so even without all previous changes, attackers won't be able to generate Login links even for installations that have a hard-coded
APP_SECRET=change_this_to_something_unique
See https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58 for more information.
References
Summary
The official Kimai Docker image ships with
APP_SECRET=change_this_to_something_uniqueas the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly settingAPP_SECRETruns with a publicly-known Symfonykernel.secret, enabling an unauthenticated attacker to forge HMAC-signed cookies and login links to take over any account including super_admin.Details
Dockerfile:263setsENV APP_SECRET=change_this_to_something_unique. This value is consumed byconfig/packages/framework.yaml:7askernel.secret, which Symfony uses to HMAC-sign:KIMAI_REMEMBERremember-me cookieThe
.docker/entrypoint.shdoes not check for or replace the default sentinel value. The bare-metal.env.dist:38ships the same default. No startup-time guard exists anywhere in the codebase that refuses to start whenAPP_SECRETequals the sentinel.User IDs are sequential integers starting from 1. The first super_admin account is almost always
id=1. User IDs are visible in some URLs and API responses.A PoC was provided, but removed for security reasons.
Impact
Any Kimai instance deployed via the official Docker image without overriding
APP_SECRETcan be compromised from the internet. An unauthenticated attacker who can reach the Kimai URL can forge authentication tokens and log in as any user if:Solution
APP_SECRETviabin2hex(random_bytes(32))which will be stored in/opt/kimai/var/data/.appsecret/opt/kimai/.env.localcontaining theAPP_SECRET, either fetched from the Docker Environment or from the newly created secret fileAPP_SECRETAPP_SECRET=change_this_to_something_uniqueAPP_SECRET=change_this_to_something_uniqueSee https://www.kimai.org/en/security/ghsa-jr9p-4h4j-6c58 for more information.
References