[CKAN-Security] CKAN Security risk identified
Adrià Mercader
adria.mercader at okfn.org
Fri Aug 7 10:06:41 UTC 2015
Hi David,
Thanks for your report.
We've created an issue for this and will try to take action as soon as we
can.
We are aware of similar problems on other file uploads as well like the
normal dataset resources. On the org/groups image case it seems sensibe to
restrict the files to certain formats.
We'll let you know of progress in this front
Adrià
On 7 August 2015 at 09:54, David Miller <david at openhealthcare.org.uk> wrote:
> Hi all,
>
> A routine pentest on a CKAN instance I run just identified the following
> issue:
>
> It was found that the application lets users upload files to create
> avatars for groups which they make. However, the application allows any
> file types to be uploaded which are then stored on the server and can be
> accessed by other users.
>
> An authenticated attacker may take advantage of this issue to upload
> malicious HTML files that can perform various attacks against other users
> including Phishing, Persistent Cross-site Scripting (XSS) and URL
> redirection attacks.
>
> They can also use this to upload viruses which may be downloaded by
> employees causing their machines to potentially be infected. An attacker
> could also use your server to attack other victims by hosting malicious
> files on it.
>
> Solution:
>
> Files should be restricted in your web application environment. It is
> highly recommended to restrict uploading to only whitelisted file types
> such as .JPG, .PNG, etc.
>
> For your convenience, I've replicated this on master.ckan.org :
>
>
> http://master.ckan.org/uploads/group/2015-08-07-085045.896838hello.world.html
>
> Is this a known issue that has come up before?
>
>
> Best
>
> David Miller
>
> Open Health Care
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20150807/4b518156/attachment-0001.html>
More information about the Security
mailing list