From Jakob.Niggel at continental-corporation.com Thu May 18 06:46:49 2017 From: Jakob.Niggel at continental-corporation.com (Jakob.Niggel at continental-corporation.com) Date: Thu, 18 May 2017 08:46:49 +0200 Subject: [CKAN-Security] XSS vulnerability in email fields Message-ID: Hi Everyone, we've found a XSS vulnerability in the email fields which are shown when you create a new dataset. This can be triggered by entering ">in one of the mail fields. When a user accesses an dataset the alert message will popup. This is caused by the function webhelpers.html.tools.mail_to on which ckan relies. Kind regards Jakob Niggel Continental Corporate IT Infrastructure - Server and Cloud Operations C IN SC LX Continental Automotive GmbH Siemensstrasse 12, 93055 Regensburg, Germany Telefon/Phone: +49 941 790-4892 E-Mail: Jakob.Niggel at continental-corporation.com http://www.continental-corporation.com ________________________________________________________________________ Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut Matschi Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann Sitz der Gesellschaft/Registered Office: Hannover Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424 USt.-ID-Nr./VAT-ID-No. DE814950663 ________________________________________________________________________ Proprietary and confidential. Distribution only by express authority of Continental AG or its subsidiaries. als Mitarbeiter der Continental Automotive GmbH -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 3679 bytes Desc: not available URL: From adria.mercader at okfn.org Thu May 18 07:04:42 2017 From: adria.mercader at okfn.org (=?UTF-8?Q?Adri=C3=A0_Mercader?=) Date: Thu, 18 May 2017 08:04:42 +0100 Subject: [CKAN-Security] Fwd: XSS vulnerability in email fields In-Reply-To: References: Message-ID: Hi Jakob, Thank you very much for reporting this. We will investigate it as soon as possible and keep you informed of progress and any patches. Best, Adri? ---------- Forwarded message ---------- From: Date: 18 May 2017 at 07:46 Subject: [CKAN-Security] XSS vulnerability in email fields To: Adri? Mercader Hi Everyone, we've found a XSS vulnerability in the email fields which are shown when you create a new dataset. This can be triggered by entering ">in one of the mail fields. When a user accesses an dataset the alert message will popup. This is caused by the function webhelpers.html.tools.*mail_to* on which ckan relies. Kind regards Jakob Niggel Continental Corporate IT Infrastructure - Server and Cloud Operations C IN SC LX Continental Automotive GmbH Siemensstrasse 12, 93055 Regensburg, Germany Telefon/Phone: +49 941 790-4892 <+49%20941%207904892> E-Mail: Jakob.Niggel at continental-corporation.com http://www.continental-corporation.com ________________________________________________________________________ Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut Matschi Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann Sitz der Gesellschaft/Registered Office: Hannover Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424, USt.-ID-Nr./VAT-ID-No. DE814950663 ________________________________________________________________________ Proprietary and confidential. Distribution only by express authority of Continental AG or its subsidiaries. als Mitarbeiter der Continental Automotive GmbH _______________________________________________ CKAN security https://lists.okfn.org/mailman/listinfo/security https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org Repo: https://github.com/ckan/ckan-security -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 3679 bytes Desc: not available URL: From adria.mercader at okfn.org Thu May 18 07:05:58 2017 From: adria.mercader at okfn.org (=?UTF-8?Q?Adri=C3=A0_Mercader?=) Date: Thu, 18 May 2017 08:05:58 +0100 Subject: [CKAN-Security] Fwd: XSS vulnerability in email fields In-Reply-To: References: Message-ID: Hi Konstantin, Is this something you could investigate a bit to know if the vulnerability actually exists and if there is a patch for it? Thanks Adri? ---------- Forwarded message ---------- From: Date: 18 May 2017 at 07:46 Subject: [CKAN-Security] XSS vulnerability in email fields To: Adri? Mercader Hi Everyone, we've found a XSS vulnerability in the email fields which are shown when you create a new dataset. This can be triggered by entering ">in one of the mail fields. When a user accesses an dataset the alert message will popup. This is caused by the function webhelpers.html.tools.*mail_to* on which ckan relies. Kind regards Jakob Niggel Continental Corporate IT Infrastructure - Server and Cloud Operations C IN SC LX Continental Automotive GmbH Siemensstrasse 12, 93055 Regensburg, Germany Telefon/Phone: +49 941 790-4892 <+49%20941%207904892> E-Mail: Jakob.Niggel at continental-corporation.com http://www.continental-corporation.com ________________________________________________________________________ Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut Matschi Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann Sitz der Gesellschaft/Registered Office: Hannover Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424, USt.-ID-Nr./VAT-ID-No. DE814950663 ________________________________________________________________________ Proprietary and confidential. Distribution only by express authority of Continental AG or its subsidiaries. als Mitarbeiter der Continental Automotive GmbH _______________________________________________ CKAN security https://lists.okfn.org/mailman/listinfo/security https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org Repo: https://github.com/ckan/ckan-security -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 3679 bytes Desc: not available URL: From tk at tkte.ch Thu May 18 08:16:04 2017 From: tk at tkte.ch (Tyler Kennedy) Date: Thu, 18 May 2017 04:16:04 -0400 Subject: [CKAN-Security] Fwd: XSS vulnerability in email fields In-Reply-To: References:

Message-ID: Hi, Let's keep further discussion on the security repo, where this same issue was reported 2 years ago (!): https://gitlab.com/ckan/ckan-security/issues/8 @Sergey send me your gitlab user name and I'll add you to the repo Adri? On 18 May 2017 at 09:16, Tyler Kennedy wrote: > Hey, > > Yes this is a real issue. I've confirmed it affects all versions. The > culprit is our h.mail_to helper which is just a call into > webhelpers.html.tools.mail_to. We're also not validating email addresses in > the input form in the first place, since none of ", <, or > are valid in an > address. > > We can quickly replace it with a simple

Message-ID: Hello all, Please check the patch with the fix for this issue tried to add it by myself but without success Best regards, Konstantin On Thu, May 18, 2017 at 12:08 PM, Adri? Mercader wrote: > Hi, > > Let's keep further discussion on the security repo, where this same issue > was reported 2 years ago (!): > > https://gitlab.com/ckan/ckan-security/issues/8 > > > @Sergey send me your gitlab user name and I'll add you to the repo > > Adri? > > On 18 May 2017 at 09:16, Tyler Kennedy wrote: > >> Hey, >> >> Yes this is a real issue. I've confirmed it affects all versions. The >> culprit is our h.mail_to helper which is just a call into >> webhelpers.html.tools.mail_to. We're also not validating email addresses in >> the input form in the first place, since none of ", <, or > are valid in an >> address. >> >> We can quickly replace it with a simple