[ckan-dev] security issues
Mark Gregson
mark.gregson at linkdigital.com.au
Thu Jun 15 02:49:48 UTC 2017
Lots good features in this extension. I'm curious what the vulnerability
with mutable usernames is given that there is also an immutable id?
Cheers
Mark
*MARK GREGSON * | *TEAM LEAD*
Link Digital
www.linkdigital.com.au
p: *02 6111 2907*
e: mark.gregson at linkdigital.com.au
GPO Box 199 Canberra ACT 2601
On 2 June 2017 at 13:34, Cam Findlay <cam at camfindlay.com> wrote:
> Sounds good Ian,
>
> I'll look into making it along to one of the dev meetings, I'm relatively
> new to CKAN as a product but old hat in the open source space (previous
> developer and community manager for open source cms SilverStripe).
>
> You are welcome to repurpose any of the approaches and code for use in
> 2.7.x, anything that can enhance secruty out of the box is welcome in my
> books (and given the public sector adoption of CKAN makes a tonne of sense).
>
> C.
>
>
>
> On 2 June 2017 at 01:14, Ian Ward <ian at excess.org> wrote:
>
>> I would love to get some of these features incorporated into core.
>>
>> Any chance someone could join one of our dev meetings to discuss it?
>> https://hack.allmende.io/ckan-meeting
>>
>> On Wed, May 31, 2017 at 6:13 PM, Cam Findlay <cam at camfindlay.com> wrote:
>>
>>> Hi Hilde, Steve -
>>>
>>> Something you might find of use, we have open sourced our security
>>> enhancements packaged as an extension (after going through a similar
>>> security assessment).
>>>
>>> https://github.com/data-govt-nz/ckanext-security
>>>
>>> It deals with a number of the issues you raise and a few other things
>>> that were specific to our particular assessment (however we'd be open to
>>> pull requests on this extension if you wanted to say add more configuration
>>> options to turn on/off various features you do/dont want from our plugin).
>>>
>>> This was built for 2.5x CKAN and is running on a 2.6.x installation.
>>>
>>> CKAN core team might be interested in taking some of these features/code
>>> into the work towards 2.7.x as I'm sure these issues will come up again and
>>> would be good to bake in some of the useful security related features.
>>>
>>> Thanks :D
>>>
>>> Cam.
>>>
>>>
>>>
>>>
>>> On 1 June 2017 at 05:46, Steven De Costa <steven.decosta at linkdigital.co
>>> m.au> wrote:
>>>
>>>> You should stay up to date with patches for the version you are
>>>> running. You need to be on 2.5.4 currently for any security updates since
>>>> 2.5.1 was released.
>>>>
>>>>
>>>>
>>>> On Wed, May 31, 2017 at 11:53 PM <Hildegard.GERLACH at ec.europa.eu>
>>>> wrote:
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> for putting a Website (which uses ckan) in production, we had to
>>>>> undergo a security assessment.
>>>>>
>>>>> We are using Ckan 2.5.1, I don’t know if things are different with
>>>>> newer versions.
>>>>>
>>>>>
>>>>> One of the things which was criticized is the administrative
>>>>> interface:
>>>>>
>>>>>
>>>>> weak authentication : does not enforce strong passwords, multiple
>>>>> failed attempts to login are allowed, no automatic logout after inactivity
>>>>>
>>>>>
>>>>> Cross-Site Request Forgery: before performing administrative actions,
>>>>> the application does not check whether HTTP requests were sent from an
>>>>> authorized page (the "Referer" header is not checked and no XSRF token is
>>>>> included)
>>>>>
>>>>> incomplete logout functionality: The application session token
>>>>> remains valid after the user logs out from the application.
>>>>>
>>>>>
>>>>> Are there any improvements going on ?
>>>>>
>>>>>
>>>>> Another thing is the Third Party Service gravatar : the service is
>>>>> provided with the list of all application users and the list of pages
>>>>> they visited
>>>>>
>>>>> Is it possible to disable the icon ?
>>>>>
>>>>>
>>>>> Thanks for your help
>>>>>
>>>>>
>>>>> Hilde
>>>>> _______________________________________________
>>>>> ckan-dev mailing list
>>>>> ckan-dev at lists.okfn.org
>>>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>>>
>>>> --
>>>> *STEVEN DE COSTA *|
>>>> *EXECUTIVE DIRECTOR*www.linkdigital.com.au
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> ckan-dev mailing list
>>>> ckan-dev at lists.okfn.org
>>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> ckan-dev mailing list
>>> ckan-dev at lists.okfn.org
>>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>>
>>>
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
>>
>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20170615/3151337e/attachment-0003.html>
More information about the ckan-dev
mailing list