[ckan-dev] security issues
Ian Ward
ian at excess.org
Thu Jun 1 13:14:42 UTC 2017
I would love to get some of these features incorporated into core.
Any chance someone could join one of our dev meetings to discuss it?
https://hack.allmende.io/ckan-meeting
On Wed, May 31, 2017 at 6:13 PM, Cam Findlay <cam at camfindlay.com> wrote:
> Hi Hilde, Steve -
>
> Something you might find of use, we have open sourced our security
> enhancements packaged as an extension (after going through a similar
> security assessment).
>
> https://github.com/data-govt-nz/ckanext-security
>
> It deals with a number of the issues you raise and a few other things that
> were specific to our particular assessment (however we'd be open to pull
> requests on this extension if you wanted to say add more configuration
> options to turn on/off various features you do/dont want from our plugin).
>
> This was built for 2.5x CKAN and is running on a 2.6.x installation.
>
> CKAN core team might be interested in taking some of these features/code
> into the work towards 2.7.x as I'm sure these issues will come up again and
> would be good to bake in some of the useful security related features.
>
> Thanks :D
>
> Cam.
>
>
>
>
> On 1 June 2017 at 05:46, Steven De Costa <steven.decosta at linkdigital.
> com.au> wrote:
>
>> You should stay up to date with patches for the version you are running.
>> You need to be on 2.5.4 currently for any security updates since 2.5.1 was
>> released.
>>
>>
>>
>> On Wed, May 31, 2017 at 11:53 PM <Hildegard.GERLACH at ec.europa.eu> wrote:
>>
>>> Hi everyone,
>>>
>>> for putting a Website (which uses ckan) in production, we had to undergo
>>> a security assessment.
>>>
>>> We are using Ckan 2.5.1, I don’t know if things are different with newer
>>> versions.
>>>
>>>
>>> One of the things which was criticized is the administrative interface:
>>>
>>>
>>> weak authentication : does not enforce strong passwords, multiple failed
>>> attempts to login are allowed, no automatic logout after inactivity
>>>
>>>
>>> Cross-Site Request Forgery: before performing administrative actions,
>>> the application does not check whether HTTP requests were sent from an
>>> authorized page (the "Referer" header is not checked and no XSRF token is
>>> included)
>>>
>>> incomplete logout functionality: The application session token remains
>>> valid after the user logs out from the application.
>>>
>>>
>>> Are there any improvements going on ?
>>>
>>>
>>> Another thing is the Third Party Service gravatar : the service is
>>> provided with the list of all application users and the list of pages
>>> they visited
>>>
>>> Is it possible to disable the icon ?
>>>
>>>
>>> Thanks for your help
>>>
>>>
>>> Hilde
>>> _______________________________________________
>>> ckan-dev mailing list
>>> ckan-dev at lists.okfn.org
>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>
>> --
>> *STEVEN DE COSTA *|
>> *EXECUTIVE DIRECTOR*www.linkdigital.com.au
>>
>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20170601/1dd3b148/attachment-0002.html>
More information about the ckan-dev
mailing list