[CKAN-support] FW: Questions about security

Tue Jun 4 05:49:50 UTC 2013

Hello CKAN Support
I have a query from Rory Daly at Smart Services QLD regarding security issues highlighted in green below. As Rory asks below, have they been resolved in patch to 1.8 or in CKAN 2.0?
Regards
George

From: Daly Rory [mailto:Rory.Daly at smartservice.qld.gov.au]
Sent: Tuesday, 4 June 2013 10:21 AM
To: George Sattler
Subject: Questions about security

Hi George

I'm going to give you a call in a minute . I have some questions about the issues highlighted in green. (Primarily, have these been resolved in a patch to 1.8 or in 2.0?)

Cheers
Like. Cons. Risk Recommendation
SSQ-03
(p. 14)
An issue exists that allows an attacker to perform actions on
behalf of another user which could allow data to be
manipulated.
UNL MOD MOD Protect data by using a random value that is
checked for accuracy before processing any
other data in a request.

SSQ-07
(p. 16)
There is no lockout of accounts after an excessive number of
password attempts.
MOD MIN MOD Modify the login functionality to enforce a
lockout to prevent brute force attacks.
SSQ-08
(p. 17)
A number of cross-site scripting issues exists which could
allow an attacker to execute custom code which could be used
to hijack a session.
UNL MOD MOD Sanitise all the output before displaying it to
users.
SSQ-09
(p. 18)
The file upload functionality does not restrict the type or
contents of files. It is possible to upload malicious files such as
the EICAR test virus.
UNL MOD MOD Restrict the type of files and their contents.
Use an antivirus scanner on the uploaded
files.
SSQ-01
(p. 12)
Some of the software in use appears it is out of date which
may contain security flaws.
RARE MIN LOW It is recommended to check with the
distribution for an updated version of the
software.
SSQ-02
(p. 13)
The apache web server has the server status page publicly
visible which reveals sensitive information about the server.
MOD INS LOW Disable mod_status or restrict access to the

Ref. Issue / risk Like. Cons. Risk Recommendation
SSQ-04
(p. 15)
Cookies used in the application are not protected from cross
site scripting attacks. If they are stolen, they could be used to
hijack a session.
UNL MIN LOW Set the 'HttpOnly' attribute on the cookies to
protect them from cross-site scripting.
SSQ-05
(p. 15)
A number of cookies are not protected from being transmitted
over an insecure network connection.
UNL MIN LOW Set the 'Secure' attribute on the cookies to
protect them from being sent over
unencrypted networks.
SSQ-06
(p. 16)
An active session is not set to expire in a reasonable length of
time by default "Remember me" option.
UNL MIN LOW Modify the session management functionality
to expire session cookies sooner.

page.
Rory Daly
Product Manager (Monday-Thursday)
Editor in Chief (Friday)
QGov Online Program (Single Website Experience) | Self Service
smartservice QUEENSLAND
Phone: 3008 5730
Ext: 35730
Email: Rory.Daly at smartservice.qld.gov.au<mailto:Rory.Daly at smartservice.qld.gov.au>
Editorial email: Editorial at smartservice.qld.gov.au<mailto:Editorial at smartservice.qld.gov.au>
Website: www.qld.gov.au<http://www.qld.gov.au>

_______________________________________________________

The contents of this electronic message and any attachments are intended
only for the addressee and may contain privileged or confidential
information. They may only be used for the purposes for which they were
supplied. If you are not the addressee, you are notified that any
transmission, distribution, downloading, printing or photocopying of the
contents of this message or attachments is strictly prohibited. The
privilege or confidentiality attached to this message and attachments is
not waived, lost or destroyed by reason of mistaken delivery to you. If
you receive this message in error please notify the sender by return
e-mail or telephone.

Please note: the Department of Science, Information Technology,
Innovation and the Arts (DSITIA) carries out automated scanning,
filtering and blocking of E-mails and attachments (including emails of a
personal nature) for detection of viruses, malicious code, SPAM,
executable programs or content it deems unacceptable. All reasonable
precautions will be taken to respect the privacy of individuals in
accordance with the Information Privacy Act 2009 (Qld). Personal
information will only be used for official purposes, e.g. monitoring
Departmental Personnel's compliance with Departmental Policies. Personal
information will not be divulged or disclosed to others, unless
authorised or required by Departmental Policy and/or law.

_______________________________________________________

________________________________
This email and any files transmitted with it is confidential and intended solely for the use of the addressee. The unauthorised use, dissemination, forwarding, printing or copying of this communication is strictly prohibited. If you have received this communication in error please notify us immediately by reply email and destroy this communication. Any views and opinions presented in this email are solely those of the author and do not necessarily represent the views of XVT Solutions. The recipient should check this email and any attachments for viruses. XVT Solutions accepts no liability for the content of this email, and any damage caused by any viruses that could potentially be transmitted through this email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20130604/5b5a6e59/attachment.html>