Redmine Security Test Results
- It looks like your Redmine is vulnerable to hacker attacks with severe impact on your Redmine data.
- It appears that you are running Redmine
3.1.7which is an old release that has not been updated for about 3 years.
- Access to your Redmine is not encrypted.
- All security relevant headers are configured properly.
- We strongly recommend you update your Redmine to the latest version.
- You should also set up TLS/SSL and disable unencrypted HTTP access.
Get Free Redmine Security Monitoring:
Cross-Site Scripting (XSS)By exploiting an XSS vulnerability an attacker may take over your login sessions and do anything your user account would be allowed to do. If they can lure an adminstrator into their trap, they would have access to all the data stored within Redmine, enabling them to read, change and delete everything.
Incomplete sanitization of multi-value custom fieldsHighAn attacker may use multi-value custom fields to embed malicious code into the issue history, the issue list, or the time log.
Cross-site scripting attack using manipulated SVG imagesHighAn attacker may attach malicious SVG images to issues or comments. When they are displayed to regular users, embeded code would be executed without their knowledge.
Incomplete sanitization of Textile and Markdown textHighAn attacker may embed malicious code into issue descriptions or comments.
Incomplete sanitization of user supplied textModerateAn attacker may embed malicious code into issue descriptions or comments.
File Content DisclosureBy exploiting a File Content Disclosure vulnerability, attackers may be able to download certain files from your server. In severe cases, hackers could get access to any file they wish, including the files storing your Redmine database or server passwords. In consequence, they might be able to take over the entire server by logging in using a regular user's password.
File Content Disclosure in Rails Action ViewHighSpecially crafted accept headers in combination with calls to certain URLs within Redmine can cause arbitrary files on the target server to be rendered, disclosing the file contents.
Remote Code Execution (RCE)An RCE vulnerability allows attackers to run arbitrary code on your server. In consequence, this enables them to bypass all Redmine roles and permissions. They may read, change and delete all data stored in the Redmine database. Depending on the server configuration, they may even take over the entire server and do things like delete all backups or send out SPAM messages in your or your company's name.
Remote Code Execution through Mercurial adapterHighOn Redmine installations with active Mercurial repositories, an attacker can take over the server and read and manipulate all data stored within your Redmine, possibly even take over the entire machine.
Server Side Request Forgery (SSRF)In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.
Ruby OpenID security updateModerateRuby OpenID (aka ruby-openid) is used by Redmine to integrate with OpenID Providers. ruby-openid performed discovery first, and then verification. This allowed an attacker to change the URL used for discovery and trick the server into connecting to the URL. This server in turn could be a private server not publicly accessible.
Denial of Service (DOS)In a Denial of Service attack, your Redmine becomes compromised in a way that it does not function properly anymore. Using a Denial of Service vulnerability, attackers may not necessarily obtain or modify any data on the server, but they may render it unresponsive for users or disrupt certain functionality of your Redmine installation.
Denial of Service Vulnerability in Rails Action ViewModerateSpecially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the Redmine server to be unable to process requests.
Reset tokens may leak to other websitesModerateSince the password reset tokens were part of the web address, users which follow links from the password reset page to other web sites, leak the token to these websites. It will appear in the log files of those external websites.
Information LeakBy exploiting an information leak, an attacker may see pieces of information, which would otherwise be hidden, effectively circumventing Redmine's roles an permissions.
Missing permission check when access a repository via SVNModerateRedmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact.
Erroneous rendering of activity viewsModerateRedmine mishandles Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information.
Erroneous rendering of wiki linksModerateRedmine mishandles the rendering of wiki links, which allows remote attackers to obtain sensitive information.
Reminder sent to ex-project membersLowReminder mails were sent to assignees, even if they no longer have access to the issue itself. This may reveal sensitive information.
General Server Test
- TLS/SSL not enabled
- TLS/SSL encrypts your server's HTTP traffic and prevents attackers from eavesdropping on connections to and from your Redmine server. Without TLS/SSL, attackers in the same (wireless) network as your users can easily intercept all traffic and steal your user's passwords.
- X-Frame-Options header set
- Using the
X-Frame-Optionsheader, your Redmine server is protected against Clickjacking attacks.
- X-XSS-Protection header set
- Your Redmine server properly activates additional automated cross-site scripting protection in many modern browsers.
- X-Content-Type-Options header set
- Content sniffing
may enable cross-site scripting attacks. Since your Redmine server
is properly sending the
X-Content-Type-Optionsheader, your users are protected against this attack vector.
How this works
Redmine Security Scanner tries to determine the version of your Redmine installation and it will list all known security vulnerabilities for that version. In addition, it will check your server configuration and make sure everything is set up securely.
Based on the results of these checks, Redmine Security Scanner will assign one of the following grades:
- Your Redmine installation is up to date, protected by properly configured TLS/SSL, not accessible via an unencrypted connection and all security relevant server headers are configured properly. Well done!
- Your Redmine installation is up to date, protected by properly configured TLS/SSL and not accessible via an unencrypted connection. However you are missing some security relevant server headers which we recommend to further harden your server.
- Your Redmine installation is up to date, protected by SSL but you are using a self-signed or untrusted certificate. This may lead to security warnings in your browser. Attackers may use this for phishing attacks and steal your user's passwords.
- Your Redmine installation is up to date, but it's accessible via an unencrypted plain text HTTP connection. Attackers in the same (wireless) network as your users can easily intercept all traffic and steal your user's passwords. Servers with enabled TLS/SSL will get the same rating if unencrypted access is possible as well.
- Your Redmine installation is too old and is vulnerable to at least one security issue of low severity.
- Your Redmine installation is too old and is vulnerable to at least one security issue of moderate severity.
- Your Redmine installation is too old and is vulnerable to at least one security issue of critical or high severity.
All checks are performed using black box testing, that means Redmine Security Scanner will only collect information about your Redmine server that is publicly accessible. It will not attempt to login or access any privileged information.
If your Redmine code has been modified or deviates from the standard releases available on the Redmine website, Redmine Security Scanner may occasionally detect a wrong version or display vulnerabilities which are not present or exploitable on your Redmine server. It might also claim that your Redmine server isn't vulnerable to any known vulnerabilities when it actually is. In some cases, Redmine Security Scanner will not be able to detect a Redmine version with 100% certainty. A version range and the associated vulnerabilities will be shown in this case.
Redmine Security Scanner was built and tested with meticulous care and to the best of our knowledge, but Planio GmbH does not give any guarantees as to the correctness of the information displayed. Planio GmbH cannot be held liable for the correctness of the results of Redmine Security Scanner. The security of your Redmine server is your own responsibility. We also provide professional Redmine hosting should you wish to focus on your core business instead of your Redmine server.
If you believe that Redmine Security Scanner shows wrong results for your server, please get in touch and we will be happy to see if we can improve it.
|http://badredmine.farend.ne.jp/||December 17, 2017 15:09||39.54s|