[CKAN-Security] API keys and password hashes in public HTML on CKAN
Keith.Moss at landgate.wa.gov.au
Mon Feb 29 00:27:12 UTC 2016
Hi CKAN Security,
We received the below report recently about the leak of sensitive user information on the /stats page of two of our CKAN installs in Western Australia.
The leak was caused by debug mode still being enabled on both installs by mistake, which resulted in the leak of the information behind the "Users Creating Most Datasets”<https://github.com/ckan/ckan/blob/91e41b2e68faa3df5296a632f4862f5a55e69e62/ckanext/stats/templates/ckanext/stats/index.html#L151-L169> tab of the ckanext-stats.
In this case the highest risk came from exposure of the API keys for three sysadmin users, with the leak of the password hashes being a concern, but not as much of an immediate risk.
We’ve since taken the necessary steps to turn off debug mode, reset the passwords and API keys for the affected users, and scrub the cached information from Google and Bing’s search indexes.
I’ve not got a CKAN dev environment established locally, or I’d send a PR, but I’d suggest the simplest solution to address this would be a large an obvious banner at the top of the page warning that debug mode is enabled and should be disabled on any live and publicly-accessible system.
With time and unlimited resources it would also be good to scrub that information as part of the debug.html template<https://github.com/ckan/ckan/blob/91e41b2e68faa3df5296a632f4862f5a55e69e62/ckan/templates/snippets/debug.html> to prevent an inadvertent leaks by CKAN or its extensions in the future.
data.wa.gov.au<http://data.wa.gov.au/> – Providing access to WA government data | Landgate<http://www0.landgate.wa.gov.au/>
p. 08 9273 7070<http://+61892737070/> | m. +61 4 8872 6571<file://localhost/tel/+61488726571> | e. keith.moss at landgate.wa.gov.au<mailto:keith.moss at landgate.wa.gov.au>
@datagovwa<https://twitter.com/datagovwa> | slip.landgate.wa.gov.au<http://slip.landgate.wa.gov.au/>
On 23/02/2016, 15:28, "Alex Osborne" <AOSBORNE at nla.gov.au<mailto:AOSBORNE at nla.gov.au>> wrote:
Hi Florian and Keith,
Just wanted to let you know that what appears to be your password hashes and API keys are being exposed publicly in the source code to this page:
I've redacted the hashes and keys below but they're present in the above page.
User id=b1498f81-06c0-4ca4-adc2-fdd312729923 name=florianm openid=None password=$pbkdf2-sha512$19000$**REDACTED** fullname=Florian Mayer email=Florian.Mayer at dpaw.wa.gov.au<mailto:email=Florian.Mayer at dpaw.wa.gov.au> apikey=**REDACTED**created=2015-10-09 02:10:59.769325 reset_key=**REDACTED** about= activity_streams_email_notifications=False sysadmin=True state=active
User id=637d92da-da5b-40c0-9c38-f3d3bf0dbafc name=keithm openid=None password=$pbkdf2-sha512$19000$**REDACTED** fullname=Keith Moss email=keith.moss at landgate.wa.gov.au<mailto:email=keith.moss at landgate.wa.gov.au> apikey=**REDACTED** created=2015-10-13 05:39:08.899377 reset_key=None about= activity_streams_email_notifications=False sysadmin=True state=active
Hopefully syadmin=True means you're the right people to tell about it or least know who to get in contact with.
I stumbled upon it by accident when Googling "site:gov.au pbkdf2" to see if there were any government-wide guidelines about password hashing algorithms and thought I'd better tell someone.
IT Services Branch
National Library of Australia
This e-mail and any files transmitted with it are intended only for the use of the addressee(s). It may contain information that is confidential and privileged, in which case neither is intended to be waived or lost by mistaken delivery to you. If you are not an intended recipient, any use, interference with, disclosure, distribution or copying of this material is unauthorised and prohibited. If you receive this e-mail in error, please notify the sender by return e-mail and delete the message and any attachments from your system. Unless specifically indicated, this e-mail does not constitute formal advice or commitment by the sender or the Western Australian Land Information Authority (Landgate). Information in this message not relating to the official business of Landgate shall be understood as neither given nor endorsed by it. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Landgate’s liability is limited to re-supplying affected attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security