[CKAN-Security] FW: Potential Vulnerability - Data.sa.gov.au

Thu Aug 7 12:46:04 UTC 2014

One for security team…

I suspect we may need more info from Will Luker <will.luker at sa.gov.au>.

A

Begin forwarded message:

> From: "Thomas, Alysha (OCIO)" <Alysha.Thomas at sa.gov.au>
> Subject: [CKAN-support] FW: Potential Vulnerability - Data.sa.gov.au [DLM=For-Official-Use-Only]
> Date: 7 August 2014 13:17:15 BST
> To: "'support at ckan.org'" <support at ckan.org>
> Message-Id: <02885F0613E1034881E535BB8327CA9AC23873063E at EMSCM007.sagemsmrd01.sa.gov.au>
> X-Beenthere: ckan-support at lists.okfn.org
> 
> For Official Use Only
> 
> 
> Hi Michelle
>  
> Can you please send an email to
> support at ckan.org
>  
> to have this issue investigated
>  
>  
> Below is a quote from the QLD Government people who reported this. They have reported it to CKAN but it may be worth doing the same so the Vendor is aware it’s across all sites using their platform:
>  
> “Serious SQL injection/code execution issue in data.qld.gov.au
>  
> …SQL injection vulnerability found in data.qld.gov.au. Our online team are investigating and have confirmed this vulnerable to be valid and have requested the vendor CKAN to investigate further.
>  
>  Please note the team also believe the same serious SQL injection/code execution issue will be present in the federal government site http://data.gov.au/ “
>  
> While the above quote discussed the QLD Government site, we have done a quick test and it appears the same vulnerability is present in data.sa.gov.au
>  
> From: Thomas, Alysha (OCIO) 
> Sent: Monday, 28 July 2014 11:22 AM
> To: Luker, Will (OCIO)
> Subject: RE: Potential Vulnerability - Data.sa.gov.au [DLM=For-Official-Use-Only]
>  
> For Official Use Only
> 
> Hi Will
>  
> I manage data.sa the platform that uses Ckan code.
>  
> e- gov do not use ckan so it should not be relevant to them
>  
> I tried to call however you had stepped away from your desk,  accordingly can you please give me a call in regard to this
>  
> thanks
>  
>  
> Alysha Thomas 
> Program Manager
> Open Data | Open Access and Licensing (AusGOAL)
> Office of the Chief Information Officer 
> Department of Premier and Cabinet
> Phone:  (08) 8226 2387 
> Email:  alysha.thomas at sa.gov.au
> Website: http://www.data.sa.gov.au/
> Level 4 Wakefield House, 30 Wakefield Street, Adelaide SA 5000 
> GPO Box 1484 Adelaide SA 5001
>  
>  
> The information contained in this e-mail is confidential and may be legally or otherwise privileged. If you are not an intended recipient, you must not use, disclose or reproduce any of its contents or attachments. You are asked to delete all copies of the e-mail from your computer system and confirm that you have done so by return e-mail to the sender. This e-mail and any attachments should be scanned to detect any viruses and no liability for loss or damage resulting from the use of any attached file is accepted
>  
>  
>  
>  
>  
> From: Luker, Will (OCIO) 
> Sent: Monday, 28 July 2014 10:23 AM
> To: Thomas, Alysha (OCIO)
> Subject: Potential Vulnerability - Data.sa.gov.au [DLM=For-Official-Use-Only]
>  
> For Official Use Only
> 
> Hi Alysha
>  
> We’ve been informed of a potentially serious vulnerability in websites using CKAN. Are you able to tell me who the appropriate contact is to discuss this with in relation to Data.sa.gov.au? I believe Jan McConchie has been informed but I just want to make sure the right people are informed.
>  
> Regards
>  
> Will
>  
>  
> Will Luker
> Analyst, Security & Risk Assurance
> Office of the Chief Information Officer
> Department of the Premier and Cabinet
> 
> Wakefield House, 30 Wakefield Street, Adelaide 5000
> P: 08 8226 1551| M: 0477 344 029 | E: will.luker at sa.gov.au | W: www.dpc.sa.gov.au
> 
> Information contained in this email message may be confidential and may also be the subject of legal professional privilege or public interest immunity.  If you are not the intended recipient, any use, disclosure or copying of this document is unauthorised.