Skip to content

Security: mfilser/wekan

Security

SECURITY.md

About money, see CONTRIBUTING.md

Security is very important to us. If you discover any issue regarding security, please disclose the information responsibly by sending an email to [email protected] and not by creating a GitHub issue. We will respond swiftly to fix verifiable security issues.

We thank you with a place at our hall of fame page, that is at https://wekan.github.io/hall-of-fame

How should reports be formatted?

Name: %name
Twitter: %twitter
Bug type: %bugtype
Domain: %domain
Severity: %severity
URL: %url
PoC: %poc
CVSS (optional): %cvss
CWSS (optional): %cwss

Who can participate in the program

Anyone who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated may be upon their approval added to the Wekan Hall of Fame.

Which domains are in scope?

No public domains, because all those are donated to Wekan Open Source project, and we don't have any permissions to do security scans on those donated servers.

Please don't perform research that could impact other users. Secondly, please keep the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.

You can Install Wekan to your own computer and scan it's vulnerabilities there.

About Wekan versions

There are only 2 versions of Wekan: Standalone Wekan, and Sandstorm Wekan.

Standalone Wekan Security

Standalone Wekan includes all non-Sandstorm platforms. Some Standalone Wekan platforms like Snap and Docker have their own specific sandboxing etc features.

Standalone Wekan by default does not load any files from Internet, like fonts, CSS, etc. This also means all Standalone Wekan functionality works in offline local networks. WeKan is used at most countries of the world https://snapcraft.io/wekan and by by companies that have 30k users.

  • Wekan private board attachments are not accessible without logging in.
  • There is feature to set board public, so that board is visible without logging in in readonly mode, with realtime updates.
  • Admin Panel has feature to disable all public boards, so all boards are private.

SSL/TLS

XSS

QA about PubSub

Q:

Hello, I have just seen the Meteor DevTools Evolved extension and was wondering if anyone had asked themselves the question of security. Insofar as all data is shown in the minimongo tab in plain text. How can data be hidden from this extension?

A:

PubSub

PubSub: Fix that user can not change to Admin

Permissions and Roles

Environment variables

Meteor.startup(() => {
  if (process.env.HEADER_LOGIN_ID) {
    Meteor.settings.public.attachmentsUploadMaxSize   = process.env.ATTACHMENTS_UPLOAD_MAX_SIZE;
    Meteor.settings.public.attachmentsUploadMimeTypes = process.env.ATTACHMENTS_UPLOAD_MIME_TYPES;
    Meteor.settings.public.avatarsUploadMaxSize       = process.env.AVATARS_UPLOAD_MAX_SIZE;

Escape HTML comment tags so that HTML comments are visible

Attachments: XSS in filename is sanitized

Brute force login protection

Sandstorm Wekan Security

On Sandstorm platform using environment variable Standalone Wekan features like Admin Panel etc are turned off, because Sandstorm platform provides SSO for all apps running on Sandstorm.

Sandstorm is separate Open Source platform that has been security audited and found bugs fixed. Sandstorm also has passwordless login, LDAP, SAML, Google etc auth options already. At Sandstorm code is read-only and signed by app maintainers, only grain content can be modified. Wekan at Sandstorm runs in sandboxed grain, it does not have access elsewhere without user-visible PowerBox request or opening randomly-generated API key URL. Also read Sandstorm Security Practices and Sandstorm Security non-events. For Sandstorm specific security issues you can contact kentonv by email.

What Wekan bugs are eligible?

Any typical web security bugs. If any of the previously mentioned is somehow problematic and a security issue, we'd like to know about it, and also how to fix it:

  • Cross-site Scripting
  • Open redirect
  • Cross-site request forgery
  • File inclusion
  • Authentication bypass
  • Server-side code execution

What Wekan bugs are NOT eligible?

Typical already known or "no impact" bugs such as:

  • Wekan API old tokens not replaced correctly
  • Missing Cookie flags on non-session cookies or 3rd party cookies
  • Logout CSRF
  • Social engineering
  • Denial of service
  • SSL BEAST/CRIME/etc. Wekan does not have SSL built-in, it uses Caddy/Nginx/Apache etc at front. Integrated Caddy support is updated often.
  • Email spoofing, SPF, DMARC & DKIM. Wekan does not include email server.

Wekan is Open Source with MIT license, and free to use also for commercial use. We welcome all fixes to improve security by email to security (at) wekan.team .

Bonus Points

If your Responsible Security Disclosure includes code for fixing security issue, you get bonus points, as seen on Hall of Fame.

There aren’t any published security advisories