[CKAN-Security] CKAN Security risk identified
David Miller
david at openhealthcare.org.uk
Fri Aug 7 08:54:24 UTC 2015
Hi all,
A routine pentest on a CKAN instance I run just identified the following
issue:
It was found that the application lets users upload files to create avatars
for groups which they make. However, the application allows any file types
to be uploaded which are then stored on the server and can be accessed by
other users.
An authenticated attacker may take advantage of this issue to upload
malicious HTML files that can perform various attacks against other users
including Phishing, Persistent Cross-site Scripting (XSS) and URL
redirection attacks.
They can also use this to upload viruses which may be downloaded by
employees causing their machines to potentially be infected. An attacker
could also use your server to attack other victims by hosting malicious
files on it.
Solution:
Files should be restricted in your web application environment. It is
highly recommended to restrict uploading to only whitelisted file types
such as .JPG, .PNG, etc.
For your convenience, I've replicated this on master.ckan.org :
http://master.ckan.org/uploads/group/2015-08-07-085045.896838hello.world.html
Is this a known issue that has come up before?
Best
David Miller
Open Health Care
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20150807/fec24d45/attachment.html>
More information about the Security
mailing list