[CKAN-Security] CKAN potentional SQL injection
Wes Hinsley
w.hinsley at imperial.ac.uk
Fri Jun 23 08:43:11 UTC 2017
Hi,
In the last couple of days, I've followed the instructions for
installing CKAN from source, onto a new linux VM, and I've then followed
the instructions to convert it from a development to a production server.
My univeristy IT department has then done a vulnerability scan before
making it publically accessible, and they've refused with the attached
document - sorry for the size - in short:
p7 - "CGI Generic SQL Injection" - they think they can CGI inject
through the 'sort' paraneter.
p9 - "Web Application potentially vulnerable to clickjacking"
p10 - "WebServer Transmits Cleartext Credentials" - this is the only
other warning, and it's my problem - I should move to HTTPS. But it may
be a good idea to highlight this in the install documentation.
I hope this is helpful - could you advise me what to do about the first
two points?
Many thanks,
Wes Hinsley
Imperial College London
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SR0461852_xp9n25.pdf
Type: application/pdf
Size: 66720 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170623/697c2e70/attachment.pdf>
More information about the Security
mailing list