[CKAN-Security] HTML file upload issue
ilja.pyykkonen at gofore.com
Wed Oct 15 11:37:59 UTC 2014
Seems that you can upload HTML files to CKAN and CKAN happily serves
This of course allows injecting scripts and using it in user context.
There is commented code that would "fix" this issue, but it is not in use.
This problem also occurs in resource preview.
Also, seems that HttpOnly is not set for cookies either so you can use
this method to steal users session.
More information about the Security