[CKAN-Security] Security post from keith.moss at landgate.wa.gov.au requires approval
Adrià Mercader
adria.mercader at okfn.org
Mon Feb 29 09:21:31 UTC 2016
Hi Keith,
Thanks for reaching out. We'll discuss the best approach for minimising
this risk and come back to you.
Banners are an obvious approach for the case you describe of the debug mode
being inadvertently turned on on a production site, but for the most common
use case (developing on your local machine) they interfere with the theming
and styling. Perhaps we can limit what's shown on the template you mention.
Cheers,
Adrià
On 29 Feb 2016 00:37, <security-owner at lists.okfn.org> wrote:
> As list administrator, your authorization is requested for the
> following mailing list posting:
>
> List: Security at lists.okfn.org
> From: keith.moss at landgate.wa.gov.au
> Subject: API keys and password hashes in public HTML on CKAN
> Reason: Post by non-member to a members-only list
>
> At your convenience, visit:
>
> https://lists.okfn.org/mailman/admindb/security
>
> to approve or deny the request.
>
>
> ---------- Forwarded message ----------
> From: Keith Moss <Keith.Moss at landgate.wa.gov.au>
> To: "security at ckan.org" <security at ckan.org>
> Cc: Florian Mayer <florian.mayer at dpaw.wa.gov.au>
> Date: Mon, 29 Feb 2016 00:27:12 +0000
> Subject: API keys and password hashes in public HTML on CKAN
> Hi CKAN Security,
>
> We received the below report recently about the leak of sensitive user
> information on the /stats page of two of our CKAN installs in Western
> Australia.
>
> The leak was caused by debug mode still being enabled on both installs by
> mistake, which resulted in the leak of the information behind the "Users
> Creating Most Datasets”
> <https://github.com/ckan/ckan/blob/91e41b2e68faa3df5296a632f4862f5a55e69e62/ckanext/stats/templates/ckanext/stats/index.html#L151-L169>
> tab of the ckanext-stats.
>
> In this case the highest risk came from exposure of the API keys for three
> sysadmin users, with the leak of the password hashes being a concern, but
> not as much of an immediate risk.
>
> We’ve since taken the necessary steps to turn off debug mode, reset the
> passwords and API keys for the affected users, and scrub the cached
> information from Google and Bing’s search indexes.
>
> I’ve not got a CKAN dev environment established locally, or I’d send a PR,
> but I’d suggest the simplest solution to address this would be a large an
> obvious banner at the top of the page warning that debug mode is enabled
> and should be disabled on any live and publicly-accessible system.
>
> With time and unlimited resources it would also be good to scrub that
> information as part of the debug.html template
> <https://github.com/ckan/ckan/blob/91e41b2e68faa3df5296a632f4862f5a55e69e62/ckan/templates/snippets/debug.html> to
> prevent an inadvertent leaks by CKAN or its extensions in the future.
>
> Cheers,
>
> Keith
>
> __________________________________
>
> *Keith Moss*
>
> *data.wa.gov.au* <http://data.wa.gov.au/> *–* Providing access to WA
> government data | Landgate <http://www0.landgate.wa.gov.au/>
>
> p. 08 9273 7070 <http://+61892737070/> | m. +61 4 8872 6571 | e.
> keith.moss at landgate.wa.gov.au
>
> @datagovwa <https://twitter.com/datagovwa> | slip.landgate.wa.gov.au
>
> On 23/02/2016, 15:28, "Alex Osborne" <AOSBORNE at nla.gov.au> wrote:
>
> Hi Florian and Keith,
>
> Just wanted to let you know that what appears to be your password hashes
> and API keys are being exposed publicly in the source code to this page:
>
> http://catalogue.beta.data.wa.gov.au/stats
>
> I've redacted the hashes and keys below but they're present in the above
> page.
>
> User id=b1498f81-06c0-4ca4-adc2-fdd312729923 name=florianm openid=None
> password=$pbkdf2-sha512$19000$**REDACTED** fullname=Florian Mayer
> email=Florian.Mayer at dpaw.wa.gov.au apikey=**REDACTED**created=2015-10-09
> 02:10:59.769325 reset_key=**REDACTED** about=
> activity_streams_email_notifications=False sysadmin=True state=active
> 123L),
> User id=637d92da-da5b-40c0-9c38-f3d3bf0dbafc name=keithm openid=None
> password=$pbkdf2-sha512$19000$**REDACTED** fullname=Keith Moss
> email=keith.moss at landgate.wa.gov.au apikey=**REDACTED**
> created=2015-10-13 05:39:08.899377 reset_key=None about=
> activity_streams_email_notifications=False sysadmin=True state=active
> 6L),
>
> Hopefully syadmin=True means you're the right people to tell about it or
> least know who to get in contact with.
>
> I stumbled upon it by accident when Googling "site:gov.au pbkdf2" to see
> if there were any government-wide guidelines about password hashing
> algorithms and thought I'd better tell someone.
>
> Cheers,
>
> Alex
>
> --
> Alex Osborne
> IT Services Branch
> National Library of Australia
>
>
>
>
> <http://www.locate.wa.gov.au>
>
> ------------------------------
> This e-mail and any files transmitted with it are intended only for the
> use of the addressee(s). It may contain information that is confidential
> and privileged, in which case neither is intended to be waived or lost by
> mistaken delivery to you. If you are not an intended recipient, any use,
> interference with, disclosure, distribution or copying of this material is
> unauthorised and prohibited. If you receive this e-mail in error, please
> notify the sender by return e-mail and delete the message and any
> attachments from your system. Unless specifically indicated, this e-mail
> does not constitute formal advice or commitment by the sender or the
> Western Australian Land Information Authority (Landgate). Information in
> this message not relating to the official business of Landgate shall be
> understood as neither given nor endorsed by it. It is your responsibility
> to check any attachments for viruses and defects before opening or sending
> them on. Landgate’s liability is limited to re-supplying affected
> attachments.
>
>
> ---------- Forwarded message ----------
> From: security-request at lists.okfn.org
> To:
> Cc:
> Date: Mon, 29 Feb 2016 00:37:29 +0000
> Subject: confirm 469735f7cf14a09df802f6ef02e0ce12afe437d1
> If you reply to this message, keeping the Subject: header intact,
> Mailman will discard the held message. Do this if the message is
> spam. If you reply to this message and include an Approved: header
> with the list password in it, the message will be approved for posting
> to the list. The Approved: header can also appear in the first line
> of the body of the reply.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20160229/6dddb779/attachment.html>
More information about the Security
mailing list