[CKAN-Security] Fwd: Vulnerabilities reported on OpenBugBounty.org

Mon Oct 2 09:14:39 UTC 2017

---------- Forwarded message ----------
From: Cameron Dawe <admin at spam404.com>
Date: 1 October 2017 at 11:39
Subject: Re: Vulnerabilities reported on OpenBugBounty.org
To: Adrià Mercader <amercadero at gmail.com>

Hey Adrià,

Thanks for the update. That's great to hear and kudos for addressing the
vulnerability so quickly.

I will work with OBB to update and remove the patched sites. In regards to
the unpatched sites, that's exactly why I use OBB. So many times in the
past I've reported vulnerabilities that went unaddressed and were later
exploited. By keeping the reports there for unpatched sites it will
hopefully encourage remediation (hopefully before the reports are made
public).

Kindest Regards,

Cameron

Spam404.com
------------------------------
*From:* Adrià Mercader <amercadero at gmail.com>
*Sent:* 29 September 2017 13:22

*To:* Cameron Dawe
*Subject:* Re: Vulnerabilities reported on OpenBugBounty.org

Hi again Cameron,

Just another (hopefully final) update on this issue. We patched the source
code and released new patch release for different versions affected last
Wednesday [1]. Some sites have already begin patching the vulnerability, eg

https://www.opendatani.gov.uk/api/1/util/snippet/api_info.
html?resource_id=0195d6db-b1c8-4a2a-b451-36bc4eeb9361&
datastore_root_url=javascript:alert(/XSS/)//

We are actively trying to reach out to as many CKAN instances as possible,
but the reality is that is very unlikely that we'll ever be able to reach
all affected sites so we would be really grateful to take your offer of
removing the incidents from the OBB site, to avoid putting these and other
sites are risk if they don't upgrade.

Let me know your thoughts on this.

As soon as I figure out how to do it I'll leave and acknowledgement and
recommendation on your OBB profile.

Thanks again for your help in identifying this issue.

Best regards,

Adrià

[1] https://ckan.org/2017/09/27/latest-ckan-patch-releases-now-available/

On 19 September 2017 at 10:24, Cameron Dawe <admin at spam404.com> wrote:

> Hey Adrià,
>
> Thanks for the update. It's great to see the vulnerability is being worked
> on.
>
> The PoC URLs will be made publicly available but only after 12 weeks from
> submission date. Since you got in contact right after I submitted these I'm
> sure the vulnerabilities will be addressed in time. My sole aim using OBB
> is to get the vulnerabilities patched. I'm not particularly interested in
> building a collection of vulnerable or previously vulnerable URLs so I am
> more than happy to remove the incidents so that they're not made publicly
> available once the vulnerabilities are addressed. Please let me know if
> that's preferred.
>
> Kindest Regards,
>
> Cameron
>
> Spam404.com
> ------------------------------
> *From:* Adrià Mercader <amercadero at gmail.com>
> *Sent:* 19 September 2017 10:18
> *To:* Cameron Dawe
> *Subject:* Re: Vulnerabilities reported on OpenBugBounty.org
>
> Hi Cameron,
>
> Just a quick update to let you know that the CKAN maintainers are working
> on a patch for this vulnerability that will be released Wednesday next
> week. In the meantime we will try to contact as many as possible of these
> sites to try to get them ready to patch.
>
> I'm not familiar with how OpenBugBounty works, so just to be clear, will
> the exact details on how to reproduce the vulnerability be made public to
> everybody at some point? If so, when?
>
> Thank you very much.
>
> Adrià
>
> On 15 September 2017 at 11:06, Adrià Mercader <amercadero at gmail.com>
> wrote:
>
>> Thanks for the details Cameron.
>> We'll decide the best strategy to deliver the patches and get back to you
>> as soon as possible.
>>
>> Best regards,
>>
>> Adrià
>>
>> On 15 September 2017 at 04:18, Cameron Dawe <admin at spam404.com> wrote:
>>
>>> Hey Adrià,
>>>
>>> Thanks for reaching out so quickly. I would be delighted to share the
>>> technical details with you.
>>>
>>> I found a reflected cross-site scripting vulnerability on the following
>>> file, api_info.html. Specifically, the `datastore_root_url` parameter.
>>>
>>> For the example OBB report you provided I'll provide the PoC URL to give
>>> you an idea of how this would be exploited (please test using Chrome or
>>> Firefox) -
>>> opendatani.gov.uk - https://www.opendatani.gov.u
>>> k/api/1/util/snippet/api_info.html?resource_id=0195d6db-b1c8
>>> -4a2a-b451-36bc4eeb9361&datastore_root_url=javascript:alert(/XSS/)//
>>>
>>> To trigger, simply click on any of the hyperlinks beginning with
>>> "javascript:alert" and it will invoke an alert box with the text "XSS".
>>>
>>> I found this while participating in the following bug bounty program -
>>> https://hackerone.com/tts. I thought I'd mention that as it's likely
>>> TTS will reach out to you guys with vulnerability details also.
>>>
>>> I hope this helps and I look forward to hearing from you soon Adrià.
>>>
>>> Kindest Regards,
>>>
>>> Cameron
>>>
>>> Spam404.com
>>> ------------------------------
>>> *From:* Adrià Mercader <amercadero at gmail.com>
>>> *Sent:* 14 September 2017 15:35
>>> *To:* admin at spam404.com
>>> *Subject:* Vulnerabilities reported on OpenBugBounty.org
>>>
>>> Hi,
>>>
>>> My name is Adrià Mercader and I'm one of the maintainers of CKAN, the
>>> open source software that powers all the sites that you reported today on
>>> OpenBugBounty (eg https://www.openbugbounty.org/reports/294186/)
>>>
>>> CKAN version check on all sites: https://www.opendatani.gov.uk/
>>> api/action/status_show
>>> CKAN repository: https://github.com/ckan/ckan
>>> My profile on Github (including this email address):
>>> https://github.com/amercader
>>> My contributions to the repo: https://github.com/ckan/
>>> ckan/graphs/contributors
>>> Example commit made by myself: https://github.com/cka
>>> n/ckan/commit/96e5e80b35a68ede1f8f2b151e8d49b318b461f1.patch
>>> Listed as part of the technical team in the project site:
>>> https://ckan.org/about/technical-team/
>>>
>>> First of all thanks a lot for reporting the issue responsibly and give
>>> us time to warn the administrators to patch their sites. We have patched
>>> XSS related issues recently and included them in our latest security
>>> releases so we would like to confirm if this particular issue has been
>>> covered or we need to prepare new patches.
>>>
>>> Would you mind sharing the details of the vulnerability so we can act as
>>> soon as possible?
>>>
>>> I'm happy to give any further confirmation that you require.
>>>
>>> Many thanks,
>>>
>>> Adrià
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20171002/47b549b6/attachment.html>