[ckan-dev] CKAN Vulnerability?

Ross Jones ross at servercode.co.uk
Wed Dec 31 18:25:22 UTC 2014


Hi Matthew

I suspect this is a problem with setup, where any user who registers can create an organisation and add datasets to it.  In particular I would guess that all of those instances that appear to have been ‘hacked’ have the settings described at http://docs.ckan.org/en/latest/maintaining/configuration.html?highlight=config#authorization-settings <http://docs.ckan.org/en/latest/maintaining/configuration.html?highlight=config#authorization-settings> set incorrectly - although obviously I can’t confirm it from here.

There’s more information on a ticket created recently - https://github.com/ckan/ckan/issues/2164 <https://github.com/ckan/ckan/issues/2164> - which is to change the defaults to ensure newly installed CKANs are locked down by default.

Ross


> On 31 Dec 2014, at 16:47, Matthew McNaughton <matthew at slashroots.org> wrote:
> 
> Seasons Greetings everyone,
> 
> and Happy New Year when it comes. I'm writing to inquire about a "hack" on my CKAN portal that I came across this morning. An group called "SLAYERSHACKTEAM". A quick google search of their name <https://www.google.com/search?q=SLAYERSHACKTEAM&oq=SLAYERSHACKTEAM&aqs=chrome..69i57j0j69i60l2.486j0j4&sourceid=chrome&es_sm=93&ie=UTF-8> or their name + CKAN <https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8#q=ckan%20slayershackteam> shows that they've done the same thing to multiple CKAN sites, including the default CKAN.org instance, UK Parliament Instance <http://www.data.parliament.uk/group/activity/hacked-by-slayershackteam/0>, IATI <http://iatiregistry.org/publisher/about/hacked-by-slayershackteam> and OpenAfrica, though some of the files have since been removed. 
> 
> Relatively speaking, at a surface level, it hasn't been terribly damaging, but I'll have to investigate the server records to be certain. WIth all the sites that have been compromised, it is clearly an automated hack, and it could just be a function of poorly setup/secured CKAN instances, but I did want to raise it for the benefit of the community. 
> 
> This may not be new or might have been fixed in a CKAN update, but wanted to share nonetheless. 
> 
> Best,
> Matthew
> 
> ---
> Executive Director
> SlashRoots Foundation
> www.slashroots.org <http://www.slashroots.org/>_______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20141231/348bb3ab/attachment-0003.html>


More information about the ckan-dev mailing list