[CKAN-Security] Fwd: Vulnerabilities reported on OpenBugBounty.org

Tue Sep 19 11:07:31 UTC 2017

---------- Forwarded message ----------
From: Cameron Dawe <admin at spam404.com>
Date: 19 September 2017 at 10:24
Subject: Re: Vulnerabilities reported on OpenBugBounty.org
To: Adrià Mercader <amercadero at gmail.com>

Hey Adrià,

Thanks for the update. It's great to see the vulnerability is being worked
on.

The PoC URLs will be made publicly available but only after 12 weeks from
submission date. Since you got in contact right after I submitted these I'm
sure the vulnerabilities will be addressed in time. My sole aim using OBB
is to get the vulnerabilities patched. I'm not particularly interested in
building a collection of vulnerable or previously vulnerable URLs so I am
more than happy to remove the incidents so that they're not made publicly
available once the vulnerabilities are addressed. Please let me know if
that's preferred.

Kindest Regards,

Cameron

Spam404.com
------------------------------
*From:* Adrià Mercader <amercadero at gmail.com>
*Sent:* 19 September 2017 10:18
*To:* Cameron Dawe
*Subject:* Re: Vulnerabilities reported on OpenBugBounty.org

Hi Cameron,

Just a quick update to let you know that the CKAN maintainers are working
on a patch for this vulnerability that will be released Wednesday next
week. In the meantime we will try to contact as many as possible of these
sites to try to get them ready to patch.

I'm not familiar with how OpenBugBounty works, so just to be clear, will
the exact details on how to reproduce the vulnerability be made public to
everybody at some point? If so, when?

Thank you very much.

Adrià

On 15 September 2017 at 11:06, Adrià Mercader <amercadero at gmail.com> wrote:

> Thanks for the details Cameron.
> We'll decide the best strategy to deliver the patches and get back to you
> as soon as possible.
>
> Best regards,
>
> Adrià
>
> On 15 September 2017 at 04:18, Cameron Dawe <admin at spam404.com> wrote:
>
>> Hey Adrià,
>>
>> Thanks for reaching out so quickly. I would be delighted to share the
>> technical details with you.
>>
>> I found a reflected cross-site scripting vulnerability on the following
>> file, api_info.html. Specifically, the `datastore_root_url` parameter.
>>
>> For the example OBB report you provided I'll provide the PoC URL to give
>> you an idea of how this would be exploited (please test using Chrome or
>> Firefox) -
>> opendatani.gov.uk - https://www.opendatani.gov.u
>> k/api/1/util/snippet/api_info.html?resource_id=0195d6db-b1c8
>> -4a2a-b451-36bc4eeb9361&datastore_root_url=javascript:alert(/XSS/)//
>>
>> To trigger, simply click on any of the hyperlinks beginning with
>> "javascript:alert" and it will invoke an alert box with the text "XSS".
>>
>> I found this while participating in the following bug bounty program -
>> https://hackerone.com/tts. I thought I'd mention that as it's likely TTS
>> will reach out to you guys with vulnerability details also.
>>
>> I hope this helps and I look forward to hearing from you soon Adrià.
>>
>> Kindest Regards,
>>
>> Cameron
>>
>> Spam404.com
>> ------------------------------
>> *From:* Adrià Mercader <amercadero at gmail.com>
>> *Sent:* 14 September 2017 15:35
>> *To:* admin at spam404.com
>> *Subject:* Vulnerabilities reported on OpenBugBounty.org
>>
>> Hi,
>>
>> My name is Adrià Mercader and I'm one of the maintainers of CKAN, the
>> open source software that powers all the sites that you reported today on
>> OpenBugBounty (eg https://www.openbugbounty.org/reports/294186/)
>>
>> CKAN version check on all sites: https://www.opendatani.gov.uk/
>> api/action/status_show
>> CKAN repository: https://github.com/ckan/ckan
>> My profile on Github (including this email address): https://github.com/a
>> mercader
>> My contributions to the repo: https://github.com/ckan/
>> ckan/graphs/contributors
>> Example commit made by myself: https://github.com/cka
>> n/ckan/commit/96e5e80b35a68ede1f8f2b151e8d49b318b461f1.patch
>> Listed as part of the technical team in the project site:
>> https://ckan.org/about/technical-team/
>>
>> First of all thanks a lot for reporting the issue responsibly and give us
>> time to warn the administrators to patch their sites. We have patched XSS
>> related issues recently and included them in our latest security releases
>> so we would like to confirm if this particular issue has been covered or we
>> need to prepare new patches.
>>
>> Would you mind sharing the details of the vulnerability so we can act as
>> soon as possible?
>>
>> I'm happy to give any further confirmation that you require.
>>
>> Many thanks,
>>
>> Adrià
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170919/fc7fa636/attachment.html>