[CKAN-Security] Responsible disclosure: CKAN

• Previous message: [CKAN-Security] Responsible disclosure: CKAN
• Next message: [CKAN-Security] Responsible disclosure: CKAN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Cedric and others,

Many thanks for reaching out. Please see comments below regarding the
issues raised:

- Solr search server injection

We have identified this issue via another report to security at ckan.org
and a patch is already in place. Patch releases that include the fix
will go out next Wednesday 22nd February around 13:00 UTC

- User enumeration via application functions

This has been reported in the past and it was flagged as a low impact
vulnerability. I'd be happy to restrict access to site administrators
only though, I'll raise it on the next developer meeting.

- No responsible disclosure policy

We have the disclosure policy that security related issues should be
sent to security at ckan.org and this is announced in the README and
other places in other places, but it's true that we could advertise it
more prominently. We will address this.

Thanks a lot for the feedback, we'll keep you informed of progress on
all these issues.


Adrià


On 15 February 2017 at 15:14, van Bockhaven, Cedric (NL - Amsterdam)
<CvanBockhaven at deloitte.nl> wrote:
> Dear CKAN team,
>
>
>
> During one of our security tests, we identified a number of potential
> security vulnerabilities in the CKAN portal software.
>
>
>
> As a standard step of our responsible disclosure process, we contact the
> developer/owner of the product prior to applying for the relevant CVEs. This
> way, we want to make sure that there is enough time to fix the security
> issues, before we publish the technical details of our findings. Could you
> investigate and confirm the following issues? More details can be shared if
> required.
>
> Moreover, could you confirm your policy for accrediting security
> professionals for identifying and responsibly disclosing these security
> issues? We would like to discuss with you the possibilities for
> accreditation.
>
> Overview of identified vulnerabilities:
>    - Solr search server injection
>    - User enumeration via application functions
>    - No responsible disclosure policy
>
> Please find attached the observations.
>
> We look forward to hearing from you,
>
> Kind regards,
>
> Cedric
>
>
>
> Cedric Van Bockhaven
>
> Sr. Consultant | Cyber Risk Services
>
> Deloitte Risk Advisory B.V.
>
> Gustav Mahlerlaan 2970, 1081 LA, Amsterdam, The Netherlands
>
> Tel/Direct +31882887908 | Mobile +31683330429
>
> cvanbockhaven at deloitte.nl / www.deloitte.com
>
> *Disclaimer:*
> ________________________________
> This e-mail message and its attachments are subject to the disclaimer
> published at the following website of Deloitte:
> http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
> Deloitte Risk Advisory B.V is registered with the trade register in The
> Netherlands under number 50340158.
>
> Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
> private company limited by guarantee (“DTTL”), its network of member firms,
> and their related entities. DTTL and each of its member firms are legally
> separate and independent entities. DTTL (also referred to as “Deloitte
> Global”) does not provide services to clients. Please see
> http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html
> for a more detailed description of DTTL and its member firms.
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] Responsible disclosure: CKAN
• Next message: [CKAN-Security] Responsible disclosure: CKAN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]