[CKAN-Security] Fwd: XSS vulnerability in email fields
Konstantin Sivakov
konstantin.sivakov at keitaro.com
Thu May 18 13:01:22 UTC 2017
Hello all,
Please check the patch with the fix for this issue
tried to add it by myself but without success
Best regards,
Konstantin
On Thu, May 18, 2017 at 12:08 PM, Adrià Mercader <adria.mercader at okfn.org>
wrote:
> Hi,
>
> Let's keep further discussion on the security repo, where this same issue
> was reported 2 years ago (!):
>
> https://gitlab.com/ckan/ckan-security/issues/8
>
>
> @Sergey send me your gitlab user name and I'll add you to the repo
>
> Adrià
>
> On 18 May 2017 at 09:16, Tyler Kennedy <tk at tkte.ch> wrote:
>
>> Hey,
>>
>> Yes this is a real issue. I've confirmed it affects all versions. The
>> culprit is our h.mail_to helper which is just a call into
>> webhelpers.html.tools.mail_to. We're also not validating email addresses in
>> the input form in the first place, since none of ", <, or > are valid in an
>> address.
>>
>> We can quickly replace it with a simple <a href="mailto:"> and let
>> Jinja's normal sanitation take care of it. It's only used in two places,
>> https://github.com/ckan/ckan/search?utf8=%E2%9C%93&q=mail_to
>>
>> webhelpers is an ancient, unsupported library we use in limited places,
>> with multiple known vulnerabilities. The atom feeds look like they're also
>> vulnerable. We should look at removing it entirely in the future.
>>
>> Thank you,
>> Tyler Kennedy
>>
>> On Thu, May 18, 2017 at 3:05 AM, Adrià Mercader <adria.mercader at okfn.org>
>> wrote:
>>
>>> Hi Konstantin,
>>>
>>> Is this something you could investigate a bit to know if the
>>> vulnerability actually exists and if there is a patch for it?
>>>
>>> Thanks
>>>
>>> Adrià
>>>
>>>
>>> ---------- Forwarded message ----------
>>> From: <Jakob.Niggel at continental-corporation.com>
>>> Date: 18 May 2017 at 07:46
>>> Subject: [CKAN-Security] XSS vulnerability in email fields
>>> To: Adrià Mercader <adria.mercader at okfn.org>
>>>
>>>
>>> Hi Everyone,
>>>
>>> we've found a XSS vulnerability in the email fields which are shown when
>>> you create a new dataset. This can be triggered by entering
>>> "><script>alert('foo');</script>in one of the mail fields. When a user
>>> accesses an dataset the alert message will popup.
>>>
>>> This is caused by the function webhelpers.html.tools.*mail_to* on which
>>> ckan relies.
>>>
>>> Kind regards
>>> Jakob Niggel
>>>
>>> Continental
>>> Corporate IT Infrastructure - Server and Cloud Operations
>>> C IN SC LX
>>>
>>> Continental Automotive GmbH
>>> Siemensstrasse 12, 93055 Regensburg, Germany
>>>
>>> Telefon/Phone: +49 941 790-4892 <+49%20941%207904892>
>>> E-Mail: Jakob.Niggel at continental-corporation.com
>>>
>>> http://www.continental-corporation.com
>>>
>>>
>>> ________________________________________________________________________
>>>
>>> Continental Automotive GmbH, Vahrenwalder Str. 9, D-30165 Hannover
>>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Helmut
>>> Matschi
>>> Geschaeftsfuehrer/Managing Director: Georg Sistermanns, Harald Stuhlmann
>>> Sitz der Gesellschaft/Registered Office: Hannover
>>> Registergericht/Registered Court: Amtsgericht Hannover, HRB 59424,
>>> USt.-ID-Nr./VAT-ID-No. DE814950663
>>> ________________________________________________________________________
>>>
>>> Proprietary and confidential. Distribution only by express authority of
>>> Continental AG or its subsidiaries.
>>>
>>> als Mitarbeiter der Continental Automotive GmbH
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/adria.mercad
>>> er%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>>
>>>
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>>
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/bc78a87e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3679 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/bc78a87e/attachment-0003.jpe>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email_validation.patch
Type: text/x-patch
Size: 1980 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170518/bc78a87e/attachment-0003.bin>
More information about the Security
mailing list