Wekan Hall of Fame
Hall of Fame image from https://openclipart.org/detail/120343/trophy

Security

Report number Date Responsible Security Disclosure by Timeline
2. 2018-06-12 Adrian Genaid
2018-06-12 20:06 GMT+3
Report received. 5 Gold Star bonus points to Adrian Genaid for including code suggestion for fixing security issue!
2018-06-13 01:30 GMT+3
Wekan v1.04 released, includes security fix.
2018-06-26 16:07 GMT+3
Report content:

Hi, I just found a security issue in Wekan:
  • user data is published unconditionally
  • sessions can be taken over
Reproduction
  1. navigate to any standalone wekan instance (sign in page, public board, ...)
  2. open developer tools (in chrome)
  3. in console: "Meteor.subscribe('people', 999)"
  4. Users.find().fetch() => all users are shown
  5. have a look at the users: there are all login tokens in the results (under services)!
  6. In console: "localStorage.setItem('Meteor.loginToken', 'anylogintokenfromthelistyouwouldliketouse')"
  7. reload the page => logged in as the user you have the logintoken from...
Problems
  • the "people" publication (in 'server/publications/people.js') is not secured against access (should only be accessible by admins)
  • in general, only some fields of a user should be published (no need to publish the password or login tokens...)
  • I think this problem exists since the introduction of the admin panel
Solution

This can be solved by improving the "people" publication.
Some proposal:
Meteor.publish('people', function(limit) {
  check(limit, Number);

  if (!Match.test(this.userId, String)) {
    return [];
  }

  const user = Users.findOne(this.userId);
  if (user && user.isAdmin) {
    return Users.find({}, {
      limit,
      sort: {createdAt: -1},
      fields: {
        'username': 1,
        'profile.fullname': 1,
        'isAdmin': 1,
        'emails': 1,
        'createdAt': 1,
        'loginDisabled': 1,
      },
    });
  } else {
    return [];
  }
});
1. 2018-03-25 Team 2018-03-09
Team asked about scope of Wekan Responsible Security Disclosure.
2018-03-10
xet7 added more details to Wekan Security Disclosure wiki page about scope and security in Wekan.
2018-03-25
Report received, and discussed with Wekan users and developers. Max security can be enabled, unless on some platform it makes Wekan not work at all. Report content:

Bug Type
Cross Frame Scripting, Clickjacking and Improper Cache Control.

Report
Team here.
We regularly conducts security testing on open source popular frameworks.
We found:
  • Cross Frame Scripting and Clickjacking bugs in wekan due to lack of X-Frame-Options:SAMEORIGIN headers.
  • Besides, We found no CSP's are present.
  • Cache control isn't implemented.
PoC: Iframe src=url html object


2018-04-04
Wekan release v0.80: Added meteor packages for security: browser-policy for cross-site scripting and clickjacking protection, and eluck:accounts-lockout for bruteforce login protection. xet7 tested: PoC does not work anymore after addition of browser-policy. xet7 sent them info about Wekan release, so that they can test is there is still something to fix.


2018-04-12
xet7 sent email to them did they have time to test Wekan.


2018-04-17
They replied by email: not yet.


2018-05-20
xet7 published all details of their report to this HoF page.


TODO