[CKAN-Security] Datastore sql injection (write access)
vitor at vitorbaptista.com
Fri Oct 10 19:22:46 UTC 2014
Great catch, Alice!
I tried finding SQLi vulnerabilities on the DataStore when working with the
NHM's project, but couldn't find that one. Thank you.
I'm a bit away from the day-to-day CKAN development, as I'm working with my
masters, but you can expect an answer from someone else from the team soon
2014-10-09 12:29 GMT-03:00 Nigel Babu <nigel.babu at okfn.org>:
> Hi Alice,
> I can confirm we've got this email.
> On Oct 9, 2014 8:10 PM, Alice Heaton <a.heaton at nhm.ac.uk> wrote:
> > Hello,
> > I have found an SQL Injection :-) On master - I don't think that code
> > was in a release yet.
> > How to reproduce
> > ------------------------
> > On master, upload this CSV file to the datastore:
> > The first field, The second field, MIX FIELD,fo;'));CREATE TABLE
> > breakit(breakit integer);--ürth_field,lat,long
> > a value, another value, a third value, a fourth value,21,14
> > A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45
> > ?,.*,a%b,""why"",88,-11
> > ',"",;,",",61,12
> > 1,2,3,4,0,0
> > And you will get a new table called 'breakit' ! Only the text on the
> > first line starting at the single quote and finishing at the double dash
> > is relevant here; the rest was just me doing various tests.
> > What happens
> > -------------------
> > When uploading the table, field names are validated to ensure that they
> > don't contain double quotes, since field names are typically escaped
> > using double quotes. However there is (at least) one context where field
> > names are enclosed in single, rather than double, quotes: when creating
> > full text indexes. Specifically when calling to_tsvector('language',
> > 'field_name').
> > The culprit is _build_fts_indexes in ckanext/datastore/db.py
> > Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I
> > didn't get a reply, so I'm not sure anyone actually reads it...
> > Can you confirm this has been received?
> > Best Wishes,
> > Alice Heaton
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/nigel.babu%40okfn.org
Developer | http://vitorbaptista.com | LinkedIn
<http://www.linkedin.com/in/vitorbaptista> | @vitorbaptista
The Open Knowledge Foundation <http://okfn.org>
*Empowering through Open Knowledge*
http://okfn.org/ | @okfn <http://twitter.com/okfn> | OKF on Facebook
<https://www.facebook.com/OKFNetwork> | Blog <http://blog.okfn.org/> |
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security