[CKAN-Security] Fwd: XSS vulnerability in email fields
Adrià Mercader
adria.mercader at okfn.org
Thu May 18 10:08:03 UTC 2017
Hi,
Let's keep further discussion on the security repo, where this same issue
was reported 2 years ago (!):
https://gitlab.com/ckan/ckan-security/issues/8
@Sergey send me your gitlab user name and I'll add you to the repo
Adrià
On 18 May 2017 at 09:16, Tyler Kennedy <tk at tkte.ch> wrote:
> Hey,
>
> Yes this is a real issue. I've confirmed it affects all versions. The
> culprit is our h.mail_to helper which is just a call into
> webhelpers.html.tools.mail_to. We're also not validating email addresses in
> the input form in the first place, since none of ", <, or > are valid in an
> address.
>
> We can quickly replace it with a simple <a href="mailto:"> and let
> Jinja's normal sanitation take care of it. It's only used in two places,
> https://github.com/ckan/ckan/search?utf8=%E2%9C%93&q=mail_to
>
> webhelpers is an ancient, unsupported library we use in limited places,
> with multiple known vulnerabilities. The atom feeds look like they're also
> vulnerable. We should look at removing it entirely in the future.
>
> Thank you,
> Tyler Kennedy
>
> On Thu, May 18, 2017 at 3:05 AM, Adrià Mercader <adria.mercader at okfn.org>
> wrote:
>
>> Hi Konstantin,
>>
>> Is this something you could investigate a bit to know if the
>> vulnerability actually exists and if there is a patch for it?
>>
>> Thanks
>>
>> Adrià
>>
>>
>> ---------- Forwarded message ----------
>> From: <Jakob.Niggel at continental-corporation.com>
>> Date: 18 May 2017 at 07:46
>> Subject: [CKAN-Security] XSS vulnerability in email fields
>> To: Adrià Mercader <adria.mercader at okfn.org>
>>
>>
>> Hi Everyone,
>>
>> we've found a XSS vulnerability in the email fields which are shown when
>> you create a new dataset. This can be triggered by entering
>> "><script>alert('foo');</script>in one of the mail fields. When a user
>> accesses an dataset the alert message will popup.
>>
>> This is caused by the function webhelpers.html.tools.*mail_to* on which
>> ckan relies.
>>
>> Kind regards
>> Jakob Niggel
>>
>> Continental
>> Corporate IT Infrastructure - Server and Cloud Operations
>> C IN SC LX
>>
>> Continental Automotive GmbH
>> Siemensstrasse 12, 93055 Regensburg, Germany
>>
>> Telefon/Phone: +49 941 790-4892 <+49%20941%207904892>
>> E-Mail: Jakob.Niggel at continental-corporation.com
>>
>> http://www.continental-corporation.com
>>
>>
>> ________________________________________________________________________
>>
>> Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover
>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut
>> Matschi
>> Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann
>> Sitz der Gesellschaft/Registered Office: Hannover
>> Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424,
>> USt.-ID-Nr./VAT-ID-No. DE814950663
>> ________________________________________________________________________
>>
>> Proprietary and confidential. Distribution only by express authority of
>> Continental AG or its subsidiaries.
>>
>> als Mitarbeiter der Continental Automotive GmbH
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>>
>> Repo: https://github.com/ckan/ckan-security
>>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/cce9a830/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3679 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/cce9a830/attachment-0003.jpe>
More information about the Security
mailing list