[ckan-dev] CKAN vulnerable to HTTP response splitting

Armin Retterath armin.retterath at gmail.com
Fri Sep 20 16:14:07 UTC 2019


maybe you can install apache mod_secure2 before the ckan instance - this
may be a good alternative to get some time

Am Do., 19. Sept. 2019 um 11:27 Uhr schrieb Adrià Mercader <
adria.mercader at okfn.org>:

> Dear Eli,
>
> Please don't discuss security related issues like this one in a public
> forum like this list. Send your report and any additional information to
> security at ckan.org so the issue can be discussed without putting other
> users at risk.
>
> 2.5.x is an unsupported version, and there's a good chance that any
> potential vulnerabilities have been patched on more recent versions. But
> again let's discuss that on the security list.
>
> Adrià
>
> On Thu, 19 Sep 2019 at 10:32, Eli Agbayani <eagbayani at eol.org> wrote:
>
>> Hi Everybody,
>> Our CKAN portal is now using CKAN 2.5.9. We started from 2.5.2.
>> I was told that a scanning tool (called Qualys) reported that our CKAN
>> portal is vulnerable to
>> HTTP response splitting
>> <https://en.wikipedia.org/wiki/HTTP_response_splitting>. We are now on
>> deadline to fix this vulnerability or else face being shutdown.
>> IS THERE NOTHING IN CKAN CONFIG OR SETTINGS THAT CAN HELP ELIMINATE THIS
>> VULNERABILITY.
>>
>> HTTP response splitting, is a common means of attack and many
>> applications have native means to handle it.
>> I hope CKAN has a way to protect itself from this type of attack.
>> ANY INPUT WILL BE APPRECIATED.
>>
>> Thanks,
>> Eli Agbayani
>>
>> _______________________________________________
>> ckan-dev mailing list
>> ckan-dev at lists.okfn.org
>> https://lists.okfn.org/mailman/listinfo/ckan-dev
>> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>>
> _______________________________________________
> ckan-dev mailing list
> ckan-dev at lists.okfn.org
> https://lists.okfn.org/mailman/listinfo/ckan-dev
> Unsubscribe: https://lists.okfn.org/mailman/options/ckan-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/ckan-dev/attachments/20190920/591641cc/attachment-0002.html>


More information about the ckan-dev mailing list