[CKAN-Security] Solr Manipulation

• Next message: [CKAN-Security] Solr Manipulation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I recently reported a security flaw over public issue, this time I'm doing it through the right channel.
We identified an issue that allows you to manipulate the Solr through a linked dataset.

If you create a new dataset and you add a resource. If you give it the following URL, for example, http://localhost:8983/solr/ckan-schema-2.3/update?commit=true&stream.body=<delete><query>*:*</query></delete><http://localhost:8983/solr/ckan-schema-2.3/update?commit=true&stream.body=%3cdelete%3e%3cquery%3e*:*%3c/query%3e%3c/delete%3e> it will simply remove all the datasets from the solr, and you will need to run the reindexer.
The same way you can delete and manipulate all datasets because you have full access to Solr. The data itself is never touched but we though this was worth sharing with you because the possibilities of changing the perception of what's available on the CKAN instance are limiteless.


Best Regards,
Gil Hilário











[logo civity new]



T +31 (0)6 24 16 07 23 | E gil at civity.nl<mailto:gil at civity.nl>
Handelsweg 6-1 | 3707 NH Zeist
W www.civity.nl<http://www.civity.nl/>













Civity is onderdeel van de Onetrail groep (www.onetrail.com<http://www.onetrail.com/>)
Civity is initiatiefnemer van FIWARE LAB Nederland, de open innovatie omgeving voor smart cities www.fiware-lab.nl<http://www.fiware-lab.nl/>
[cid:image005.png at 01D0D9C8.8D3B3A60]<https://www.linkedin.com/company/3284795?trk=tyah&trkInfo=clickedVertical%3Acompany%2CclickedEntityId%3A3284795%2Cidx%3A2-3-4%2CtarId%3A1473335093147%2Ctas%3Acivity>[cid:image005.png at 01D20A7C.FC86C980]<https://twitter.com/intent/follow?original_referer=https://about.twitter.com/resources/buttons&region=follow_link&screen_name=CivityNL&tw_p=followbutton>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170814/da78a7e5/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3186 bytes
Desc: image001.jpg
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170814/da78a7e5/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 1828 bytes
Desc: image002.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170814/da78a7e5/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 1578 bytes
Desc: image003.png
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170814/da78a7e5/attachment-0001.png>

• Next message: [CKAN-Security] Solr Manipulation
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]