[CKAN-Security] Responsible disclosure: CKAN

Wed Feb 22 10:14:37 UTC 2017

Cedric,
Adria responded, but you appear to be missed off by mistake. See his
email below.
David

On 16 February 2017 at 16:11, Adrià Mercader <adria.mercader at okfn.org> wrote:
> Hi Cedric and others,
>
> Many thanks for reaching out. Please see comments below regarding the
> issues raised:
>
> - Solr search server injection
>
> We have identified this issue via another report to security at ckan.org
> and a patch is already in place. Patch releases that include the fix
> will go out next Wednesday 22nd February around 13:00 UTC
>
> - User enumeration via application functions
>
> This has been reported in the past and it was flagged as a low impact
> vulnerability. I'd be happy to restrict access to site administrators
> only though, I'll raise it on the next developer meeting.
>
> - No responsible disclosure policy
>
> We have the disclosure policy that security related issues should be
> sent to security at ckan.org and this is announced in the README and
> other places in other places, but it's true that we could advertise it
> more prominently. We will address this.
>
> Thanks a lot for the feedback, we'll keep you informed of progress on
> all these issues.
>
>
> Adrià
>
>
> On 15 February 2017 at 15:14, van Bockhaven, Cedric (NL - Amsterdam)
> <CvanBockhaven at deloitte.nl> wrote:
>> Dear CKAN team,
>>
>>
>>
>> During one of our security tests, we identified a number of potential
>> security vulnerabilities in the CKAN portal software.
>>
>>
>>
>> As a standard step of our responsible disclosure process, we contact the
>> developer/owner of the product prior to applying for the relevant CVEs. This
>> way, we want to make sure that there is enough time to fix the security
>> issues, before we publish the technical details of our findings. Could you
>> investigate and confirm the following issues? More details can be shared if
>> required.
>>
>> Moreover, could you confirm your policy for accrediting security
>> professionals for identifying and responsibly disclosing these security
>> issues? We would like to discuss with you the possibilities for
>> accreditation.
>>
>> Overview of identified vulnerabilities:
>>    - Solr search server injection
>>    - User enumeration via application functions
>>    - No responsible disclosure policy
>>
>> Please find attached the observations.
>>
>> We look forward to hearing from you,
>>
>> Kind regards,
>>
>> Cedric
>>
>>
>>
>> Cedric Van Bockhaven
>>
>> Sr. Consultant | Cyber Risk Services
>>
>> Deloitte Risk Advisory B.V.
>>
>> Gustav Mahlerlaan 2970, 1081 LA, Amsterdam, The Netherlands
>>
>> Tel/Direct +31882887908 | Mobile +31683330429
>>
>> cvanbockhaven at deloitte.nl / www.deloitte.com
>>
>> *Disclaimer:*
>> ________________________________
>> This e-mail message and its attachments are subject to the disclaimer
>> published at the following website of Deloitte:
>> http://www2.deloitte.com/nl/nl/legal/Disclaimer.html
>> Deloitte Risk Advisory B.V is registered with the trade register in The
>> Netherlands under number 50340158.
>>
>> Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK
>> private company limited by guarantee (“DTTL”), its network of member firms,
>> and their related entities. DTTL and each of its member firms are legally
>> separate and independent entities. DTTL (also referred to as “Deloitte
>> Global”) does not provide services to clients. Please see
>> http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html
>> for a more detailed description of DTTL and its member firms.
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security