[CKAN-Security] Two more security issues

Ross Jones ross at servercode.co.uk
Fri Aug 7 10:43:17 UTC 2015


Hi,

David (CC'd) has kindly allowed me to check out the pentest that was performed on his/our CKAN instance, and so I'm adding the two top-level items so that we can discuss them - I'll add them to the gitlab issues list today so that we can track them.

1. SQL Injection

Problem: It was found that one of the API pages used in your application accepts SQL statements as a GET parameter which can allow an attacker to run arbitrary database queries (we sort of knew this ;) ).

Result: SQLMap found it was possibly (with a rather convoluted query) to obtain the name of the database, and the name of the user that is connecting to the database.  SQLMap does this as a PoC, but shows that it is possible to bypass any checking that is performed to obtain information that isn't really public.

2. XSS on description field in group

Problem: It was found that when the application displays descriptions of collections which may be created by users, it does not correctly filter special characters such as HTML tags (<).

Result: This vulnerability could enable users who unwittingly click on a malicious link to leak private information to attackers. This information typically includes cookies which provide access to the user’s account and session.

I'm pretty worried by 1, so will be adding a PR soon to allow admins to disable this functionality if they wish.  I haven't checked this specific code, is anyone confident that it *can* be fixed to be secure? Seems like the type of code that everyone will be chasing down edge cases on forever.

Cheers

Ross.


More information about the Security mailing list