[ckan-dev] cross-site scripting issue with resource preview
Jörg-Thomas Vogt
joerg-thomas.vogt at yourdata.de
Tue Feb 24 15:08:50 UTC 2015
Hello everybody,
I'm using CKAN 2.2.1 with the datapusher extension and recline preview
for csv- and txt-files.
A penetration test raised the following issue:
After uploading the following "CSV" file and pushing it to the datastore
a preview of
the resp. resource leads to an alert popup showing "123".
So at least the contents of header is being evaluated and leads to code
execution during
preview:
========== cut ============
field1;field2<script>alert(123)</script>;field3
data1;data2;data3"><script>alert(456)</script>
========== cut ============
Same code executing happens if a text file with the followings contents
will be uploaded
and previewed:
========== cut =============
<script>alert(document.cookie)</script>
========== cut =============
Is this an already known issue ? Any way to prevent this ?
Many thanks
Thomas
More information about the ckan-dev
mailing list