[ckan-dev] cross-site scripting issue with resource preview

Adrià Mercader adria.mercader at okfn.org
Wed Feb 25 13:13:45 UTC 2015


Hi Thomas,

Thanks for flagging this. We'll have a look and come back to you.

For security related issues like this one please send your reports to
security at ckan.org

Thanks!

On 24 February 2015 at 15:08, Jörg-Thomas Vogt
<joerg-thomas.vogt at yourdata.de> wrote:
> Hello everybody,
>
> I'm using CKAN 2.2.1 with the datapusher extension and recline preview for
> csv- and txt-files.
> A penetration test raised the following issue:
>
> After uploading the following "CSV" file and pushing it to the datastore a
> preview of
> the resp. resource leads to an alert popup showing "123".
> So at least the contents of header is being evaluated and leads to code
> execution during
> preview:
>
> ========== cut ============
> field1;field2<script>alert(123)</script>;field3
> data1;data2;data3"><script>alert(456)</script>
> ========== cut ============
>
> Same code executing happens if a text file with the followings contents will
> be uploaded
> and previewed:
>
> ========== cut =============
> <script>alert(document.cookie)</script>
> ========== cut =============
>
> Is this an already known issue ? Any way to  prevent this ?
>
> Many thanks
>
> Thomas
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev



More information about the ckan-dev mailing list