[CKAN-Security] CKAN Security risk identified

• Next message: [CKAN-Security] CKAN Security risk identified
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

A routine pentest on a CKAN instance I run just identified the following
issue:

It was found that the application lets users upload files to create avatars
for groups which they make. However, the application allows any file types
to be uploaded which are then stored on the server and can be accessed by
other users.

An authenticated attacker may take advantage of this issue to upload
malicious HTML files that can perform various attacks against other users
including Phishing, Persistent Cross-site Scripting (XSS) and URL
redirection attacks.

They can also use this to upload viruses which may be downloaded by
employees causing their machines to potentially be infected. An attacker
could also use your server to attack other victims by hosting malicious
files on it.

Solution:

Files should be restricted in your web application environment. It is
highly recommended to restrict uploading to only whitelisted file types
such as .JPG, .PNG, etc.

For your convenience, I've replicated this on master.ckan.org :

http://master.ckan.org/uploads/group/2015-08-07-085045.896838hello.world.html

Is this a known issue that has come up before?


Best

David Miller

Open Health Care
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20150807/fec24d45/attachment.html>

• Next message: [CKAN-Security] CKAN Security risk identified
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]