[ckan-dev] security issues
Steven De Costa
steven.decosta at linkdigital.com.au
Wed May 31 17:46:13 UTC 2017
You should stay up to date with patches for the version you are running.
You need to be on 2.5.4 currently for any security updates since 2.5.1 was
released.
On Wed, May 31, 2017 at 11:53 PM <Hildegard.GERLACH at ec.europa.eu> wrote:
> Hi everyone,
>
> for putting a Website (which uses ckan) in production, we had to undergo a
> security assessment.
>
> We are using Ckan 2.5.1, I don’t know if things are different with newer
> versions.
>
>
> One of the things which was criticized is the administrative interface:
>
>
> weak authentication : does not enforce strong passwords, multiple failed
> attempts to login are allowed, no automatic logout after inactivity
>
>
> Cross-Site Request Forgery: before performing administrative actions, the
> application does not check whether HTTP requests were sent from an
> authorized page (the "Referer" header is not checked and no XSRF token is
> included)
>
> incomplete logout functionality: The application session token remains
> valid after the user logs out from the application.
>
>
> Are there any improvements going on ?
>
>
> Another thing is the Third Party Service gravatar : the service is
> provided with the list of all application users and the list of pages
> they visited
>
> Is it possible to disable the icon ?
>
>
> Thanks for your help
>
>
> Hilde
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
--
*STEVEN DE COSTA *|
*EXECUTIVE DIRECTOR*www.linkdigital.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20170531/6ed44c43/attachment-0003.html>
More information about the ckan-dev
mailing list