[CKAN-Security] CKAN Security risk identified
David Read
david.read at hackneyworkshop.com
Fri Aug 7 10:43:19 UTC 2015
One trick for images is to use the python image library to resize it
slightly. That ensures it is an image to start-with and there is
nothing untoward slipped in.
Dave
On 7 August 2015 at 11:06, Adrià Mercader <adria.mercader at okfn.org> wrote:
> Hi David,
>
> Thanks for your report.
>
> We've created an issue for this and will try to take action as soon as we
> can.
>
> We are aware of similar problems on other file uploads as well like the
> normal dataset resources. On the org/groups image case it seems sensibe to
> restrict the files to certain formats.
>
> We'll let you know of progress in this front
>
> Adrià
>
>
> On 7 August 2015 at 09:54, David Miller <david at openhealthcare.org.uk> wrote:
>>
>> Hi all,
>>
>> A routine pentest on a CKAN instance I run just identified the following
>> issue:
>>
>> It was found that the application lets users upload files to create
>> avatars for groups which they make. However, the application allows any file
>> types to be uploaded which are then stored on the server and can be accessed
>> by other users.
>>
>> An authenticated attacker may take advantage of this issue to upload
>> malicious HTML files that can perform various attacks against other users
>> including Phishing, Persistent Cross-site Scripting (XSS) and URL
>> redirection attacks.
>>
>> They can also use this to upload viruses which may be downloaded by
>> employees causing their machines to potentially be infected. An attacker
>> could also use your server to attack other victims by hosting malicious
>> files on it.
>>
>> Solution:
>>
>> Files should be restricted in your web application environment. It is
>> highly recommended to restrict uploading to only whitelisted file types such
>> as .JPG, .PNG, etc.
>>
>> For your convenience, I've replicated this on master.ckan.org :
>>
>>
>> http://master.ckan.org/uploads/group/2015-08-07-085045.896838hello.world.html
>>
>> Is this a known issue that has come up before?
>>
>>
>> Best
>>
>> David Miller
>>
>> Open Health Care
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list