[CKAN-Security] Datastore sql injection (write access)

Vitor Baptista vitor at vitorbaptista.com
Fri Oct 10 19:22:46 UTC 2014


Great catch, Alice!

I tried finding SQLi vulnerabilities on the DataStore when working with the
NHM's project, but couldn't find that one. Thank you.

I'm a bit away from the day-to-day CKAN development, as I'm working with my
masters, but you can expect an answer from someone else from the team soon
enough.

Cheers,

2014-10-09 12:29 GMT-03:00 Nigel Babu <nigel.babu at okfn.org>:

> Hi Alice,
>
> I can confirm we've got this email.
>
> Nigel.
>
> On Oct 9, 2014 8:10 PM, Alice Heaton <a.heaton at nhm.ac.uk> wrote:
> >
> > Hello,
> >
> > I have found an SQL Injection :-) On master - I don't think that code
> > was in a release yet.
> >
> > How to reproduce
> > ------------------------
> >
> > On master, upload this CSV file to the datastore:
> >
> > The first field, The second field, MIX FIELD,fo;'));CREATE TABLE
> > breakit(breakit integer);--ürth_field,lat,long
> > a value, another value, a third value, a fourth value,21,14
> > A VALUE, can you, parse thüs?, A FOURTH VALUE,-45,45
> > ?,.*,a%b,""why"",88,-11
> > ',"",;,",",61,12
> > 1,2,3,4,0,0
> >
> > And you will get a new table called 'breakit' ! Only the text on the
> > first line starting at the single quote and finishing at the double dash
> > is relevant here; the rest was just me doing various tests.
> >
> > What happens
> > -------------------
> >
> > When uploading the table, field names are validated to ensure that they
> > don't contain double quotes, since field names are typically escaped
> > using double quotes. However there is (at least) one context where field
> > names are enclosed in single, rather than double, quotes: when creating
> > full text indexes. Specifically when calling to_tsvector('language',
> > 'field_name').
> >
> > The culprit is _build_fts_indexes in ckanext/datastore/db.py
> >
> > Vitor: I'm cc-ing you because last time I wrote to security at ckan.org I
> > didn't get a reply, so I'm not sure anyone actually reads it...
> >
> > Can you confirm this has been received?
> >
> > Best Wishes,
> > Alice Heaton
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/nigel.babu%40okfn.org
>



-- 

Vítor Baptista

Developer  |  http://vitorbaptista.com | LinkedIn
<http://www.linkedin.com/in/vitorbaptista> | @vitorbaptista
<http://twitter.com/vitorbaptista>

The Open Knowledge Foundation <http://okfn.org>

*Empowering through Open Knowledge*

http://okfn.org/  |  @okfn <http://twitter.com/okfn>  |  OKF on Facebook
<https://www.facebook.com/OKFNetwork>  |  Blog <http://blog.okfn.org/>  |
Newsletter <http://okfn.org/about/newsletter/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20141010/e993cbbd/attachment-0002.html>


More information about the Security mailing list