[CKAN-Security] HTML file upload issue

Ilja Pyykkönen ilja.pyykkonen at gofore.com
Wed Oct 15 11:37:59 UTC 2014


Dear CKAN,

  Seems that you can upload HTML files to CKAN and CKAN happily serves 
those files.

http://demo.ckan.org/dataset/04e4a6f5-7220-4adc-9e8c-a477645f545c/resource/d13d0573-29bc-4909-96ac-b4c0a55a75cc/download/test.html

  This of course allows injecting scripts and using it in user context.

  There is commented code that would "fix" this issue, but it is not in use.

https://github.com/ckan/ckan/blob/master/ckan/controllers/storage.py#L185

  This problem also occurs in resource preview.

http://demo.ckan.org/dataset/test1234/resource/d13d0573-29bc-4909-96ac-b4c0a55a75cc

  Also, seems that HttpOnly is not set for cookies either so you can use 
this method to steal users session.

Best regards,
  Ilja


More information about the Security mailing list