mirror of
https://github.com/wekan/wekan.git
synced 2025-12-17 07:50:12 +01:00
Updated Security Disclosure (markdown)
Lauri Ojansivu
parent
ffbea1b103
commit
30efa64ade
1 changed files with 83 additions and 1 deletions
|
|
@ -1 +1,83 @@
|
|||
Security is very important to us. If discover any issue regarding security, please disclose the information responsibly by sending an email to wekan-security (at) xet7.org and not by creating a GitHub issue.
|
||||
Security is very important to us. If discover any issue regarding security, please disclose the information responsibly by sending an email to wekan-security (at) xet7.org and not by creating a GitHub issue. We will respond swiftly to fix verifiable security issues.
|
||||
|
||||
If you are the first to report a verifiable security issue, we'll thank you with a place at our hall of fame page, that will be at https://wekan.github.io/hall-of-fame . Because to this date no one has done responsible disclosure, but just posted public GitHub issue, that hall-of-fame page does not exists yet. You can be the first one.
|
||||
|
||||
## How should reports be formatted?
|
||||
|
||||
```
|
||||
Name: %name
|
||||
Twitter: %twitter
|
||||
Bug type: %bugtype
|
||||
Domain: %domain
|
||||
Severity: %severity
|
||||
URL: %url
|
||||
PoC: %poc
|
||||
CVSS (optional): %cvss
|
||||
CWSS (optional): %cwss
|
||||
```
|
||||
|
||||
## Who can participate in the program
|
||||
|
||||
Anyone who reports a unique security issue in scope and does not disclose it to a third party before we have patched and updated may be upon their approval added to the Wekan Hall of Fame.
|
||||
|
||||
## Which domains are in scope?
|
||||
|
||||
No any public domains, because all those are donated to Wekan Open Source project, and we don't have any permissions to do security scans on those donated servers.
|
||||
|
||||
You can [Install Wekan](https://github.com/wekan/wekan/releases) to your own computer and scan it's vulnerabilities there.
|
||||
|
||||
# About Wekan security in general
|
||||
|
||||
There is only 2 versions of Wekan: Sandstorm, and Standalone Wekan. Standalone Wekan includes all non-Sandstorm platforms. On Sandstorm platform using environment variable Standalone Wekan features like Admin Panel etc are turned off, because Sandstorm platform provides SSO for all apps running on Sandstorm. Some Standalone Wekan platforms like Snap and Docker have their own specific sandboxing etc features.
|
||||
|
||||
Wekan uses xss package for input fields like cards, as you can see from [package.json](https://github.com/wekan/wekan/blob/devel/package.json). Forms can include markdown links, html, image tags etc like you see at https://wekan.github.io . It's possible to add attachments to cards, and markdown/html links to files.
|
||||
|
||||
Wekan attachments are not accessible without logging in. Import from Trello works by copying Trello export JSON to Wekan Trello import page, and in Trello JSON file there is direct links to all publicly accessible Trello attachment files, that Standalone Wekan downloads directly to Wekan MongoDB database in [CollectionFS](https://github.com/wekan/wekan/pull/875) format. When Wekan board is exported in Wekan JSON format, all board attachments are included in Wekan JSON file as base64 encoded text. That Wekan JSON format file can be imported to Sandstorm Wekan with all the attachments, when we get latest Wekan version working on Sandstorm. In Sandstorm it's not possible yet to import from Trello with attachments, because Wekan does not implement Sandstorm-compatible access to outside of Wekan grain.
|
||||
|
||||
Standalone Wekan only has password auth currently, there is work in progress to add LDAP etc auth. If you need more login security for Standalone Wekan now, it's possible add additional [Google Auth proxybouncer] (https://github.com/wekan/wekan/wiki/Let's-Encrypt-and-Google-Auth) in front of password auth, and then use Google Authenticator for Google Auth. Currently Standalone Wekan does not have brute force protections for login and API, pull requests welcome.
|
||||
|
||||
[Sandstorm](https://sandstorm.io) is separate Open Source platform that has been [security audited](https://sandstorm.io/news/2017-03-02-security-review) and found bugs fixed. Sandstorm also has passwordless login, LDAP, SAML, Google etc auth options already. At Sandstorm code is read-only and signed by app maintainers, only grain content can be modified. Wekan at Sandstorm runs in sandboxed grain, it does not have access elsewhere without user-visible PowerBox request or opening randomly-generated API key URL. Also read [Sandstorm Security Practices](https://docs.sandstorm.io/en/latest/using/security-practices/) and [Sandstorm Security non-events](https://docs.sandstorm.io/en/latest/using/security-non-events/). For Sandstorm specific security issues you can contact [kentonv](https://github.com/kentonv) by email.
|
||||
|
||||
Links to other platforms:
|
||||
|
||||
[Snap](https://snapcraft.io)
|
||||
|
||||
[Docker](https://www.docker.com)
|
||||
|
||||
[VirtualBox](https://www.virtualbox.org)
|
||||
|
||||
[All Wekan Platforms](https://github.com/wekan/wekan/wiki/Platforms)
|
||||
|
||||
## What Wekan bugs are eligible?
|
||||
|
||||
Any typical web security bugs. If any of the previously mentioned is somehow problematic and a security issue, we'd like to know about it, and also how to fix it:
|
||||
|
||||
- Cross-site Scripting
|
||||
- Open redirect
|
||||
- Cross-site request forgery
|
||||
- File inclusion
|
||||
- Authentication bypass
|
||||
- Server-side code execution
|
||||
|
||||
## What Wekan bugs are NOT eligible?
|
||||
|
||||
Typical already known or "no impact" bugs such as:
|
||||
|
||||
- Brute force password guessing
|
||||
- Security issues related to that Wekan uses Meteor 1.6.0.1 related packages, and upgrading to newer Meteor 1.6.1 is complicated process that requires lots of changes to many dependency packages. Upgrading [has been tried many times, spending a lot of time](https://github.com/meteor/meteor/issues/9609) but there still is issues.
|
||||
- [Wekan API old tokens not replaced correctly](https://github.com/wekan/wekan/issues/1437)
|
||||
- Missing Cookie flags on non-session cookies or 3rd party cookies
|
||||
- Logout CSRF
|
||||
- Social engineering
|
||||
- Denial of service
|
||||
- SSL BEAST/CRIME/etc. Wekan does not have SSL built-in, it uses Caddy/Nginx/Apache etc at front.
|
||||
- Email spoofing, SPF, DMARC & DKIM
|
||||
|
||||
Wekan is Open Source, we welcome all pull requests to fix and improve these.
|
||||
|
||||
|
||||
## Other guidelines
|
||||
|
||||
Please don't perform research that could impact other users. Secondly, please keep the reports short and succinct. If we fail to understand the logics of your bug, we will tell you.
|
||||
|
||||
Wekan Team reserves the rights to discontinue the reward program without previous notice at any time.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue