Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / Userbleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
VRF#20-08-DDFJJ. Userbleed

2018-06-12 Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH
  • User data is published unconditionally
  • Sessions can be taken over
  • Affected Wekan v0.11.1-rc2 - v1.03
  • Fixed at Wekan v1.04 2018-06-12


Timeline Details
2018-06-12 20:06 GMT+3 Report received. 5 Gold Star bonus points to Adrian Genaid for including code suggestion for fixing security issue!
2018-06-26 16:07 GMT+3 Report content

Hi, I just found a security issue in Wekan:
  • user data is published unconditionally
  • sessions can be taken over
Reproduction
  1. navigate to any standalone wekan instance (sign in page, public board, ...)
  2. open developer tools (in chrome)
  3. in console: Meteor.subscribe('people', 999)
  4. Users.find().fetch() => all users are shown
  5. have a look at the users: there are all login tokens in the results (under services)!
  6. In console: localStorage.setItem('Meteor.loginToken', 'anylogintokenfromthelistyouwouldliketouse')
  7. reload the page => logged in as the user you have the logintoken from...
Problems
  • the people publication (in server/publications/people.js) is not secured against access (should only be accessible by admins)
  • in general, only some fields of a user should be published (no need to publish the password or login tokens...)
  • I think this problem exists since the introduction of the admin panel
Solution

This can be solved by improving the "people" publication.
Some proposal:
Meteor.publish('people', function(limit) {
  check(limit, Number);

  if (!Match.test(this.userId, String)) {
    return [];
  }

  const user = Users.findOne(this.userId);
  if (user && user.isAdmin) {
    return Users.find({}, {
      limit,
      sort: {createdAt: -1},
      fields: {
        'username': 1,
        'profile.fullname': 1,
        'isAdmin': 1,
        'emails': 1,
        'createdAt': 1,
        'loginDisabled': 1,
      },
    });
  } else {
    return [];
  }
});
2018-06-13 01:30 GMT+3 Wekan v1.04$


Back to Hall of Fame Contents Back to Wekan Website