[CKAN-Security] Fwd: security vulnerability in CKAN
Matt Moore
matt.moore at okfn.org
Mon Mar 2 08:18:43 UTC 2015
---------- Forwarded message ----------
From: dophine britanico <dophine at gmail.com>
Date: 2 March 2015 at 07:48
Subject: Re: security vulnerability in CKAN
To: Matt Moore <matt.moore at okfn.org>
Hi,
Thank you I believe in responsible security disclosure so I contacted you
here is what i found while auditing our CKAN server.
vulnerability: CKAN API
URL: http://demo.ckan.org/api/action/datastore_search_sql
SQL injection points: ?sql=INJECT HERE
To replicate:
Install JSON View plugin for firefox or chrome
POC:
http://demo.ckan.org/api/action/datastore_search_sql?sql=SELECT%20inet_server_addr%28%29
;
Sample: SQL
SELECT current_database()
SELECT current_user;
SELECT inet_server_addr();
SELECT version()
Vulnerable URL will returned sensitive information, Persistent attacker
will use and escalate this to a total server compromise.
Google dork:
inurl:datastore_search_sql
This can be also directly fingerprinted and replicated to any website using
CKAN.
Vulnerable as well is US data portal www.data.gov, in which I have also
contacted them in case respond from yours is delayed
site:.gov datastore_search_sql
Suggested Fix:
Sanitize or remove 'sql' input paramater from datastore_search_sql
Remove api_info.html?resource_id sample query sample from default install
Sincerely,
Michael Britanico
On Mon, Mar 2, 2015 at 3:27 PM, Matt Moore <matt.moore at okfn.org> wrote:
> Dophine,
>
> If you could provide us with some information, then we can look into the
> vulnerability. I've mentioned this to our development team, but without
> some information, there's not much we can do.
>
> Thanks,
>
> Matthew Moore
>
> On 2 March 2015 at 06:13, dophine britanico <dophine at gmail.com> wrote:
>
>> Hello,
>>
>> I would like to inform you of a remote and serious vulnerability in the
>> default and recent version of CKAN and probably all recent versions of CKAN.
>>
>> Please contact me anytime.
>>
>> Dophine "Michael" Britanico
>> Security Researcher
>> (+63) 9151100672
>>
>>
>
>
> --
> Matthew Moore
> Sysadmin
> Open Knowledge - www.okfn.org
> Skype - notmatt
>
--
Matthew Moore
Sysadmin
Open Knowledge - www.okfn.org
Skype - notmatt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20150302/eed463d9/attachment.html>
More information about the Security
mailing list