[CKAN-support] FW: Potential Vulnerability - Data.sa.gov.au [DLM=For-Official-Use-Only]

Thu Aug 7 12:17:15 UTC 2014

For Official Use Only

Hi Michelle

Can you please send an email to
support at ckan.org<mailto:support at ckan.org>

to have this issue investigated

Below is a quote from the QLD Government people who reported this. They have reported it to CKAN but it may be worth doing the same so the Vendor is aware it's across all sites using their platform:

"Serious SQL injection/code execution issue in data.qld.gov.au

...SQL injection vulnerability found in data.qld.gov.au<http://data.qld.gov.au>. Our online team are investigating and have confirmed this vulnerable to be valid and have requested the vendor CKAN to investigate further.

 Please note the team also believe the same serious SQL injection/code execution issue will be present in the federal government site http://data.gov.au/ "

While the above quote discussed the QLD Government site, we have done a quick test and it appears the same vulnerability is present in data.sa.gov.au

From: Thomas, Alysha (OCIO)
Sent: Monday, 28 July 2014 11:22 AM
To: Luker, Will (OCIO)
Subject: RE: Potential Vulnerability - Data.sa.gov.au [DLM=For-Official-Use-Only]

For Official Use Only
Hi Will

I manage data.sa the platform that uses Ckan code.

e- gov do not use ckan so it should not be relevant to them

I tried to call however you had stepped away from your desk,  accordingly can you please give me a call in regard to this

thanks

Alysha Thomas
Program Manager
Open Data | Open Access and Licensing (AusGOAL)
Office of the Chief Information Officer
Department of Premier and Cabinet
Phone:  (08) 8226 2387
Email:  alysha.thomas at sa.gov.au<mailto:alysha.thomas at sa.gov.au>
Website: http://www.data.sa.gov.au/
Level 4 Wakefield House, 30 Wakefield Street, Adelaide SA 5000
GPO Box 1484 Adelaide SA 5001

The information contained in this e-mail is confidential and may be legally or otherwise privileged. If you are not an intended recipient, you must not use, disclose or reproduce any of its contents or attachments. You are asked to delete all copies of the e-mail from your computer system and confirm that you have done so by return e-mail to the sender. This e-mail and any attachments should be scanned to detect any viruses and no liability for loss or damage resulting from the use of any attached file is accepted

From: Luker, Will (OCIO)
Sent: Monday, 28 July 2014 10:23 AM
To: Thomas, Alysha (OCIO)
Subject: Potential Vulnerability - Data.sa.gov.au [DLM=For-Official-Use-Only]

For Official Use Only
Hi Alysha

We've been informed of a potentially serious vulnerability in websites using CKAN. Are you able to tell me who the appropriate contact is to discuss this with in relation to Data.sa.gov.au? I believe Jan McConchie has been informed but I just want to make sure the right people are informed.

Regards

Will

Will Luker
Analyst, Security & Risk Assurance
Office of the Chief Information Officer
Department of the Premier and Cabinet
Wakefield House, 30 Wakefield Street, Adelaide 5000
P: 08 8226 1551| M: 0477 344 029 | E: will.luker at sa.gov.au<mailto:will.luker at sa.gov.au%7C> | W: www.dpc.sa.gov.au<http://www.dpc.sa.gov.au/>

Information contained in this email message may be confidential and may also be the subject of legal professional privilege or public interest immunity.  If you are not the intended recipient, any use, disclosure or copying of this document is unauthorised.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20140807/12d0016d/attachment-0002.html>