[CKAN-Security] CKAN potentional SQL injection

Wes Hinsley w.hinsley at imperial.ac.uk
Fri Jun 23 08:43:11 UTC 2017


In the last couple of days, I've followed the instructions for 
installing CKAN from source, onto a new linux VM, and I've then followed 
the instructions to convert it from a development to a production server.

My univeristy IT department has then done a vulnerability scan before 
making it publically accessible, and they've refused with the attached 
document - sorry for the size - in short:

p7 - "CGI Generic SQL Injection" - they think they can CGI inject 
through the 'sort' paraneter.

p9 - "Web Application potentially vulnerable to clickjacking"

p10 - "WebServer Transmits Cleartext Credentials" - this is the only 
other warning, and it's my problem - I should move to HTTPS. But it may 
be a good idea to highlight this in the install documentation.

I hope this is helpful - could you advise me what to do about the first 
two points?

Many thanks,
Wes Hinsley
Imperial College London

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SR0461852_xp9n25.pdf
Type: application/pdf
Size: 66720 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170623/697c2e70/attachment.pdf>

More information about the Security mailing list