Wekan — Hall of Fame / Userbleed

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
VRF#20-08-DDFJJ.	Userbleed	2018-06-12	Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH Did send detailed report and fix!	User data is published unconditionally Sessions can be taken over Affected Wekan v0.11.1-rc2 - v1.03 Fixed at Wekan v1.04 2018-06-12

Timeline Details

2018-06-12 20:06 GMT+3 Report received. 5 Gold Star bonus points to Adrian Genaid for including code suggestion for fixing security issue!

Timeline	Details
2018-06-12 20:06 GMT+3	Report received. 5 Gold Star bonus points to Adrian Genaid for including code suggestion for fixing security issue!
2018-06-26 16:07 GMT+3	Report content Hi, I just found a security issue in Wekan: user data is published unconditionally sessions can be taken over Reproduction navigate to any standalone wekan instance (sign in page, public board, ...) open developer tools (in chrome) in console: `Meteor.subscribe('people', 999)` `Users.find().fetch()` => all users are shown have a look at the users: there are all login tokens in the results (under services)! In console: `localStorage.setItem('Meteor.loginToken', 'anylogintokenfromthelistyouwouldliketouse')` reload the page => logged in as the user you have the logintoken from... Problems the `people` publication (in `server/publications/people.js`) is not secured against access (should only be accessible by admins) in general, only some fields of a user should be published (no need to publish the password or login tokens...) I think this problem exists since the introduction of the admin panel Solution This can be solved by improving the "people" publication. Some proposal: Meteor.publish('people', function(limit) { check(limit, Number); if (!Match.test(this.userId, String)) { return []; } const user = Users.findOne(this.userId); if (user && user.isAdmin) { return Users.find({}, { limit, sort: {createdAt: -1}, fields: { 'username': 1, 'profile.fullname': 1, 'isAdmin': 1, 'emails': 1, 'createdAt': 1, 'loginDisabled': 1, }, }); } else { return []; } });
2018-06-13 01:30 GMT+3	Wekan v1.04$

2018-06-26 16:07 GMT+3

Report content

Hi, I just found a security issue in Wekan:

user data is published unconditionally
sessions can be taken over

Reproduction

navigate to any standalone wekan instance (sign in page, public board, ...)
open developer tools (in chrome)
in console: Meteor.subscribe('people', 999)
Users.find().fetch() => all users are shown
have a look at the users: there are all login tokens in the results (under services)!
In console: localStorage.setItem('Meteor.loginToken', 'anylogintokenfromthelistyouwouldliketouse')
reload the page => logged in as the user you have the logintoken from...

Problems

the people publication (in server/publications/people.js) is not secured against access (should only be accessible by admins)
in general, only some fields of a user should be published (no need to publish the password or login tokens...)
I think this problem exists since the introduction of the admin panel

Solution

This can be solved by improving the "people" publication.
Some proposal:

Meteor.publish('people', function(limit) {
  check(limit, Number);

  if (!Match.test(this.userId, String)) {
    return [];
  }

  const user = Users.findOne(this.userId);
  if (user && user.isAdmin) {
    return Users.find({}, {
      limit,
      sort: {createdAt: -1},
      fields: {
        'username': 1,
        'profile.fullname': 1,
        'isAdmin': 1,
        'emails': 1,
        'createdAt': 1,
        'loginDisabled': 1,
      },
    });
  } else {
    return [];
  }
});

2018-06-13 01:30 GMT+3 Wekan v1.04$

Contents / Userbleed