[CKAN-Security] Fwd: security vulnerability in CKAN

Fri Jul 3 15:36:27 UTC 2015

yeah sounds sensible, I don't think it needs a lower (see
http://demo.ckan.org/api/action/datastore_search_sql?sql=SELECT%20*%20from%20PG_user;),
will have to take a look at the datastore helper that fetches the
table names to know fully what is going on.

On 3 July 2015 at 16:18, Ian Ward <ian at excess.org> wrote:
> Let's add Michael's list of tables to the ones we're blacklisting
> (currently just pg_* IIUC).
>
> Also, should there be a t.lower() here?:
>
> https://github.com/ckan/ckan/blob/master/ckanext/datastore/db.py#L1221
>
>
> On Mon, Mar 2, 2015 at 5:28 AM, Adrià Mercader <adria.mercader at okfn.org> wrote:
>> Thanks Michael,
>>
>> We'll discuss the issue and come back to you.
>>
>> Adrià
>>
>> On 2 March 2015 at 08:18, Matt Moore <matt.moore at okfn.org> wrote:
>>>
>>> ---------- Forwarded message ----------
>>> From: dophine britanico <dophine at gmail.com>
>>> Date: 2 March 2015 at 07:48
>>> Subject: Re: security vulnerability in CKAN
>>> To: Matt Moore <matt.moore at okfn.org>
>>>
>>>
>>> Hi,
>>>
>>> Thank you  I believe in responsible security disclosure so I contacted you
>>> here is what i found while auditing our CKAN server.
>>>
>>> vulnerability: CKAN API
>>>
>>> URL: http://demo.ckan.org/api/action/datastore_search_sql
>>> SQL injection points: ?sql=INJECT HERE
>>>
>>> To replicate:
>>> Install JSON View plugin for firefox or chrome
>>>
>>> POC:
>>> http://demo.ckan.org/api/action/datastore_search_sql?sql=SELECT%20inet_server_addr%28%29;
>>>
>>> Sample: SQL
>>> SELECT current_database()
>>> SELECT current_user;
>>> SELECT inet_server_addr();
>>> SELECT version()
>>>
>>> Vulnerable URL will returned sensitive information, Persistent attacker will
>>> use and escalate this to a total server compromise.
>>>
>>> Google dork:
>>> inurl:datastore_search_sql
>>>
>>> This can be also directly fingerprinted and replicated to any website using
>>> CKAN.
>>>
>>> Vulnerable as well is US data portal www.data.gov, in which I have also
>>> contacted them  in case respond from yours is delayed
>>>
>>> site:.gov datastore_search_sql
>>>
>>> Suggested Fix:
>>> Sanitize or remove 'sql' input paramater from datastore_search_sql
>>> Remove api_info.html?resource_id sample query sample  from default install
>>>
>>>
>>> Sincerely,
>>> Michael Britanico
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Mar 2, 2015 at 3:27 PM, Matt Moore <matt.moore at okfn.org> wrote:
>>>>
>>>> Dophine,
>>>>
>>>> If you could provide us with some information, then we can look into the
>>>> vulnerability.  I've mentioned this to our development team, but without
>>>> some information, there's not much we can do.
>>>>
>>>> Thanks,
>>>>
>>>> Matthew Moore
>>>>
>>>> On 2 March 2015 at 06:13, dophine britanico <dophine at gmail.com> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> I would like to inform you of a remote and serious vulnerability in the
>>>>> default and recent version of CKAN and probably all recent versions of CKAN.
>>>>>
>>>>> Please contact me anytime.
>>>>>
>>>>> Dophine "Michael" Britanico
>>>>> Security Researcher
>>>>> (+63) 9151100672
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Matthew Moore
>>>> Sysadmin
>>>> Open Knowledge - www.okfn.org
>>>> Skype - notmatt
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Matthew Moore
>>> Sysadmin
>>> Open Knowledge - www.okfn.org
>>> Skype - notmatt
>>>
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/joe.tsoi%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security