[CKAN-Security] [Possible spam: Use caution] Re: Security post from keith.moss at landgate.wa.gov.au requires approval

Tue Mar 1 00:56:06 UTC 2016

Thanks for the quick response, Adria.

Perhaps a banner that can easily be hidden by the user, with the duration of the hide tied to a short-lived cookie (24 hours?). That way it’s low impact for any devs working locally (only have to dismiss it once a day), but still obvious for production/live sites that something is awry.

From: Adrià Mercader <adria.mercader at okfn.org<mailto:adria.mercader at okfn.org>>
Date: Monday, 29 February 2016 at 17:21
To: Keith Moss <Keith.Moss at landgate.wa.gov.au<mailto:Keith.Moss at landgate.wa.gov.au>>, "florian.mayer at dpaw.wa.gov.au<mailto:florian.mayer at dpaw.wa.gov.au>" <florian.mayer at dpaw.wa.gov.au<mailto:florian.mayer at dpaw.wa.gov.au>>
Cc: CKAN Security Alerts/Discussions <security at lists.okfn.org<mailto:security at lists.okfn.org>>
Subject: [Possible spam: Use caution] Re: Security post from keith.moss at landgate.wa.gov.au<mailto:keith.moss at landgate.wa.gov.au> requires approval

Hi Keith,

Thanks for reaching out. We'll discuss the best approach for minimising this risk and come back to you.

Banners are an obvious approach for the case you describe of the debug mode being inadvertently turned on on a production site, but for the most common use case (developing on your local machine) they interfere with the theming and styling. Perhaps we can limit what's shown on the template you mention.

Cheers,

Adrià

On 29 Feb 2016 00:37, <security-owner at lists.okfn.org<mailto:security-owner at lists.okfn.org>> wrote:
As list administrator, your authorization is requested for the
following mailing list posting:

    List:    Security at lists.okfn.org<mailto:Security at lists.okfn.org>
    From:    keith.moss at landgate.wa.gov.au<mailto:keith.moss at landgate.wa.gov.au>
    Subject: API keys and password hashes in public HTML on CKAN
    Reason:  Post by non-member to a members-only list

At your convenience, visit:

    https://lists.okfn.org/mailman/admindb/security

to approve or deny the request.

---------- Forwarded message ----------
From: Keith Moss <Keith.Moss at landgate.wa.gov.au<mailto:Keith.Moss at landgate.wa.gov.au>>
To: "security at ckan.org<mailto:security at ckan.org>" <security at ckan.org<mailto:security at ckan.org>>
Cc: Florian Mayer <florian.mayer at dpaw.wa.gov.au<mailto:florian.mayer at dpaw.wa.gov.au>>
Date: Mon, 29 Feb 2016 00:27:12 +0000
Subject: API keys and password hashes in public HTML on CKAN
Hi CKAN Security,

We received the below report recently about the leak of sensitive user information on the /stats page of two of our CKAN installs in Western Australia.

The leak was caused by debug mode still being enabled on both installs by mistake, which resulted in the leak of the information behind the "Users Creating Most Datasets”<https://github.com/ckan/ckan/blob/91e41b2e68faa3df5296a632f4862f5a55e69e62/ckanext/stats/templates/ckanext/stats/index.html#L151-L169> tab of the ckanext-stats.

In this case the highest risk came from exposure of the API keys for three sysadmin users, with the leak of the password hashes being a concern, but not as much of an immediate risk.

We’ve since taken the necessary steps to turn off debug mode, reset the passwords and API keys for the affected users, and scrub the cached information from Google and Bing’s search indexes.

I’ve not got a CKAN dev environment established locally, or I’d send a PR, but I’d suggest the simplest solution to address this would be a large an obvious banner at the top of the page warning that debug mode is enabled and should be disabled on any live and publicly-accessible system.

With time and unlimited resources it would also be good to scrub that information as part of the debug.html template<https://github.com/ckan/ckan/blob/91e41b2e68faa3df5296a632f4862f5a55e69e62/ckan/templates/snippets/debug.html> to prevent an inadvertent leaks by CKAN or its extensions in the future.

Cheers,

Keith
__________________________________
Keith Moss
data.wa.gov.au<http://data.wa.gov.au/> – Providing access to WA government data | Landgate<http://www0.landgate.wa.gov.au/>
p. 08 9273 7070<http://+61892737070/> | m. +61 4 8872 6571 | e. keith.moss at landgate.wa.gov.au<mailto:keith.moss at landgate.wa.gov.au>
@datagovwa<https://twitter.com/datagovwa> | slip.landgate.wa.gov.au<http://slip.landgate.wa.gov.au/>

On 23/02/2016, 15:28, "Alex Osborne" <AOSBORNE at nla.gov.au<mailto:AOSBORNE at nla.gov.au>> wrote:

Hi Florian and Keith,

Just wanted to let you know that what appears to be your password hashes and API keys are being exposed publicly in the source code to this page:

http://catalogue.beta.data.wa.gov.au/stats

I've redacted the hashes and keys below but they're present in the above page.

User id=b1498f81-06c0-4ca4-adc2-fdd312729923 name=florianm openid=None password=$pbkdf2-sha512$19000$**REDACTED** fullname=Florian Mayer email=Florian.Mayer at dpaw.wa.gov.au<mailto:email=Florian.Mayer at dpaw.wa.gov.au> apikey=**REDACTED**created=2015-10-09 02:10:59.769325 reset_key=**REDACTED** about= activity_streams_email_notifications=False sysadmin=True state=active
  123L),
User id=637d92da-da5b-40c0-9c38-f3d3bf0dbafc name=keithm openid=None password=$pbkdf2-sha512$19000$**REDACTED** fullname=Keith Moss email=keith.moss at landgate.wa.gov.au<mailto:email=keith.moss at landgate.wa.gov.au> apikey=**REDACTED** created=2015-10-13 05:39:08.899377 reset_key=None about= activity_streams_email_notifications=False sysadmin=True state=active
  6L),

Hopefully syadmin=True means you're the right people to tell about it or least know who to get in contact with.

I stumbled upon it by accident when Googling "site:gov.au pbkdf2" to see if there were any government-wide guidelines about password hashing algorithms and thought I'd better tell someone.

Cheers,

Alex

--
Alex Osborne
IT Services Branch
National Library of Australia

[https://www0.landgate.wa.gov.au/__data/assets/image/0009/10080/PromoBanner.jpg]<http://www.locate.wa.gov.au>

________________________________
This e-mail and any files transmitted with it are intended only for the use of the addressee(s). It may contain information that is confidential and privileged, in which case neither is intended to be waived or lost by mistaken delivery to you. If you are not an intended recipient, any use, interference with, disclosure, distribution or copying of this material is unauthorised and prohibited. If you receive this e-mail in error, please notify the sender by return e-mail and delete the message and any attachments from your system. Unless specifically indicated, this e-mail does not constitute formal advice or commitment by the sender or the Western Australian Land Information Authority (Landgate). Information in this message not relating to the official business of Landgate shall be understood as neither given nor endorsed by it. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Landgate’s liability is limited to re-supplying affected attachments.

---------- Forwarded message ----------
From: security-request at lists.okfn.org<mailto:security-request at lists.okfn.org>
To:
Cc:
Date: Mon, 29 Feb 2016 00:37:29 +0000
Subject: confirm 469735f7cf14a09df802f6ef02e0ce12afe437d1
If you reply to this message, keeping the Subject: header intact,
Mailman will discard the held message.  Do this if the message is
spam.  If you reply to this message and include an Approved: header
with the list password in it, the message will be approved for posting
to the list.  The Approved: header can also appear in the first line
of the body of the reply.

This e-mail and any files transmitted with it are intended only for the use of the addressee(s). It may contain information that is confidential and privileged, in which case neither is intended to be waived or lost by mistaken delivery to you. If you are not an intended recipient, any use, interference with, disclosure, distribution or copying of this material is unauthorised and prohibited. If you receive this e-mail in error, please notify the sender by return e-mail and delete the message and any attachments from your system. Unless specifically indicated, this e-mail does not constitute formal advice or commitment by the sender or the Western Australian Land Information Authority (Landgate). Information in this message not relating to the official business of Landgate shall be understood as neither given nor endorsed by it. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. Landgate’s liability is limited to re-supplying affected attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20160301/01f3e6f1/attachment.html>