[CKAN-Security] Fwd: XSS vulnerability in email fields
Tyler Kennedy
tk at tkte.ch
Thu May 18 08:16:04 UTC 2017
Hey,
Yes this is a real issue. I've confirmed it affects all versions. The
culprit is our h.mail_to helper which is just a call into
webhelpers.html.tools.mail_to. We're also not validating email addresses in
the input form in the first place, since none of ", <, or > are valid in an
address.
We can quickly replace it with a simple <a href="mailto:"> and let Jinja's
normal sanitation take care of it. It's only used in two places,
https://github.com/ckan/ckan/search?utf8=%E2%9C%93&q=mail_to
webhelpers is an ancient, unsupported library we use in limited places,
with multiple known vulnerabilities. The atom feeds look like they're also
vulnerable. We should look at removing it entirely in the future.
Thank you,
Tyler Kennedy
On Thu, May 18, 2017 at 3:05 AM, Adrià Mercader <adria.mercader at okfn.org>
wrote:
> Hi Konstantin,
>
> Is this something you could investigate a bit to know if the vulnerability
> actually exists and if there is a patch for it?
>
> Thanks
>
> Adrià
>
>
> ---------- Forwarded message ----------
> From: <Jakob.Niggel at continental-corporation.com>
> Date: 18 May 2017 at 07:46
> Subject: [CKAN-Security] XSS vulnerability in email fields
> To: Adrià Mercader <adria.mercader at okfn.org>
>
>
> Hi Everyone,
>
> we've found a XSS vulnerability in the email fields which are shown when
> you create a new dataset. This can be triggered by entering
> "><script>alert('foo');</script>in one of the mail fields. When a user
> accesses an dataset the alert message will popup.
>
> This is caused by the function webhelpers.html.tools.*mail_to* on which
> ckan relies.
>
> Kind regards
> Jakob Niggel
>
> Continental
> Corporate IT Infrastructure - Server and Cloud Operations
> C IN SC LX
>
> Continental Automotive GmbH
> Siemensstrasse 12, 93055 Regensburg, Germany
>
> Telefon/Phone: +49 941 790-4892 <+49%20941%207904892>
> E-Mail: Jakob.Niggel at continental-corporation.com
>
> http://www.continental-corporation.com
>
>
> ________________________________________________________________________
>
> Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover
> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut
> Matschi
> Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann
> Sitz der Gesellschaft/Registered Office: Hannover
> Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424,
> USt.-ID-Nr./VAT-ID-No. DE814950663
> ________________________________________________________________________
>
> Proprietary and confidential. Distribution only by express authority of
> Continental AG or its subsidiaries.
>
> als Mitarbeiter der Continental Automotive GmbH
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/a18842a4/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3679 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/a18842a4/attachment-0003.jpe>
More information about the Security
mailing list