[CKAN-Security] Solr query injection issue
Adrià Mercader
adria.mercader at okfn.org
Fri Feb 10 20:49:15 UTC 2017
Hi Lupco,
Thanks for flagging this. I've merged your patch and will backport where
necessary.
Please in the future ensure that you report this security related to this
list and don't submit a public PR with the patch, and specially don't
discuss it on the mailing list or the IRC channel. Otherwise you expose the
exploit publicly and leave other CKAN instances vulnerable.
Cheers,
Adrià
On 10 Feb 2017 5:57 p.m., "Lupco Kotev" <lupco.kotev at keitaro.com> wrote:
It is possible to list private datasets and their description by injecting
extra SOLR parameters.
For example:
http://demo.ckan.org/dataset?q=&res_format=CSV%22%20/*&
sort=score+desc%2C+metadata_modified+desc
The parameter res_format with value CSV" /* doesn't get escaped properly
which makes SOLR ignore the filter queries that are defined after it. Since
res_format is added to the filter query (fq) first and "capacity" is added
after it, "capacity" will be ignored which will return private datasets.
I have submitted a pull request https://github.com/ckan/ckan/pull/3433
which adds the "capacity" filter query first and then adds all the user
defined filter queries.
This has been tested on SOLR 5.5.0 version where the exploit works. On SOLR
5.3.1 the exploit doesn't work, SOLR returns a bad request error because it
can't parse the query string.
_______________________________________________
CKAN security
https://lists.okfn.org/mailman/listinfo/security
https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170210/d52f64b7/attachment-0001.html>
More information about the Security
mailing list