WeKan Server-Side Request Forgery Vulnerability in Webhook URL Handling

A server-side request forgery (SSRF) vulnerability has been identified in WeKan versions prior to 8.35. This vulnerability arises in the webhook integration URL handling, where the URL schema field allows any string without proper protocol restrictions or destination validations. Attackers with the ability to create or modify integrations can exploit this by setting webhook URLs to internal network addresses. This causes the server to send HTTP POST requests to attacker-controlled internal targets, including full board event payloads. Additionally, the vulnerability can be exploited by manipulating response handling to overwrite arbitrary comment text without authorization checks.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where internal network addresses can be targeted, potentially leading to unauthorized access or manipulation of internal resources. Furthermore, the ability to overwrite comment text without authorization could disrupt user interactions and data integrity within the application.

Reproduction

To reproduce this vulnerability, create or modify a webhook integration in WeKan version 8.34 or earlier. Set the webhook URL to an internal network address. Once the integration is saved, the WeKan server will send HTTP POST requests to the specified internal address with full board event payloads. If the internal target is configured to respond in a certain way, it can be exploited to overwrite comments on the board without any authorization.

Remediation

Users are advised to update to WeKan version 8.35 or later, where this vulnerability has been fixed.