[ECODP-dev] Important: CKAN security upgrade and restricting API access

Mon Aug 5 15:36:37 UTC 2013

Dear Olivier,

Last week we identified an issue with the CKAN API that could potentially
allow users to access the API with higher privileges than they should have.
We discovered this vulnerability during our own development work and have
no reason to believe that it is known to anyone outside the OKF team. We
have created a patch and we would like to work with you ensure that EU ODP
site is protected from the vulnerability as quickly as possible. Therefore
please see the details below.

The vulnerability exists in the "/api/action/user_update" API call so the
first step is to ensure that this action isn't available to any external
users. In previous discussions around the security of the site (during work
on release 07.50) we agreed that certain URLS and API calls (including all
"user" actions) would be blocked from the outside world by your proxy
server (Big IP). However looking at the API it looks like these rules
haven't all been implemented. Therefore we need to ensure that the proxy
configuration is changed as soon as possible. This will protect the site
from the vulnerability until the patch is deployed.

You can see the details of the URL's which need to be blocked at the link
below

https://docs.google.com/a/okfn.org/document/d/1MoTsSe3kcQF1F7LeYI7pGEs9KvHX13E8jYSJV90RLDM/edit

Blocking these URLS at the proxy will prevent  external users accessing the
affected API call so will protect the currently deployed release (08.x) and
release 09.01.

The next step is to create a new EU ODP release containing a small patch
which removes the issue with that API call.  This is a small code change so
will be easy to deploy (no database migrations etc are required) but it
will require 10F to create a new RPM. We will also release an updated
version of CKAN at the same time so we would like to make sure that your
proxy configuration has been updated before then. (We won't be announcing
the vulnerability when we release the new version but it would be best to
have the proxy changes in place before it's released.)

Therefore please see below the suggested timeline

* PO to update proxy configuration as soon as possible

* OKF to commit patch to project - Thursday

* 10F to create new RPM and send to PO - Thursday onwards

We would like to release the CKAN upgrade to the CKAN community on Thursday
- Therefore please can you let me know ASAP if you won't be able to update
your proxy configuration by then?

I'm afraid I'm out of the office tomorrow morning and so will probably not
be able to join the weekly update call but David and John are available via
email to answer any questions you might have. I'm also available for a call
in the afternoon if that would be helpful.

Kind regards,

Darwin

*Darwin Peltan*

*Project Manager  |  skype: darwinp  |  twitter:
@darwin<http://twitter.com/darwin>
*

*The Open Knowledge Foundation <http://okfn.org/>*

*Empowering through Open Knowledge*

*http://okfn.org/  |  @okfn <http://twitter.com/OKFN>  |  OKF on
Facebook<https://www.facebook.com/OKFNetwork> |
Blog <http://blog.okfn.org/>  |  Newsletter<http://okfn.org/about/newsletter>
*
*
CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject>
|open source data management platform
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20130805/2b7348ed/attachment.html>