[CKAN-Security] Solr query injection issue
Lupco Kotev
lupco.kotev at keitaro.com
Fri Feb 10 14:08:14 UTC 2017
It is possible to list private datasets and their description by injecting
extra SOLR parameters.
For example:
http://demo.ckan.org/dataset?q=&res_format=CSV%22%20/*&sort=score+desc%2C+metadata_modified+desc
The parameter res_format with value CSV" /* doesn't get escaped properly
which makes SOLR ignore the filter queries that are defined after it. Since
res_format is added to the filter query (fq) first and "capacity" is added
after it, "capacity" will be ignored which will return private datasets.
I have submitted a pull request https://github.com/ckan/ckan/pull/3433
which adds the "capacity" filter query first and then adds all the user
defined filter queries.
This has been tested on SOLR 5.5.0 version where the exploit works. On SOLR
5.3.1 the exploit doesn't work, SOLR returns a bad request error because it
can't parse the query string.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170210/00c54a81/attachment.html>
More information about the Security
mailing list