[CKAN-Security] XSS for multiple sites

Thu Sep 14 17:41:40 UTC 2017

Tyler,

Good spot, and I agree it is a separate issue (which we addressed with
the recent changes).

I see that the source site that was harvested has the 'onclick' rubbish too:
http://gpdatasets.hscni.net/2017-2018.php
It seems more like bad PHP rather than an attempted attack, but I
don't know this area at all well.

I gather that the bugbounty site independently confirms the presence
of the XSS problem by running automatic tests. So no doubt you're on
the right path suggesting it is the search form or something similar.

David

On 14 September 2017 at 15:59, Tyler Kennedy <tk at tkte.ch> wrote:
> Don't believe it's related to this exploit, but if you take a look at the
> resources on a lot of these sites there are attempted XSS attacks,
>
> https://www.opendatani.gov.uk/dataset/gp-prescribing-data/resource/44b5267a-c2a5-4876-974c-055cd8d4a135
>
> Notice the onclick at the end of the resource URL? If these sites have
> datapusher and datastore enabled while allowing public access you can do fun
> things like pulling the passwords file or having solr delete itself.
>
> On Thu, Sep 14, 2017 at 10:20 AM, Adrià Mercader <adria.mercader at okfn.org>
> wrote:
>>
>> > If you are the website owner or administrator please contact the
>> > researcher directly to get vulnerability details and proceed to coordinated
>> > disclosure.
>>
>> I'll try first emailing him and telling him I'm one of the maintainers and
>> if that doesn't work we'll have to do it via a Link Digital / Viderum site
>>
>> On 14 September 2017 at 15:19, David Read <david.read at hackneyworkshop.com>
>> wrote:
>>>
>>> Adria,
>>>
>>> I believe you have to be the site owner to get the details.
>>> *Virderum* run opendatani.gov.uk
>>> *LinkDigital* run some of the Australian ones. Are any reps from them
>>> on this list?
>>>
>>> David
>>>
>>> On 14 September 2017 at 14:02, Adrià Mercader <adria.mercader at okfn.org>
>>> wrote:
>>> > How does this site work? How can we get the details?
>>> >
>>> > On 14 September 2017 at 13:52, David Read
>>> > <david.read at hackneyworkshop.com>
>>> > wrote:
>>> >>
>>> >> To: CKAN Security list,
>>> >>
>>> >> I got alerted to this report of XSS on a number of CKAN sites:
>>> >>
>>> >> https://www.openbugbounty.org/reports/294186/
>>> >>
>>> >> I don't know the details of the specific problem, but I'm asking via
>>> >> my contacts.
>>> >> The CKAN versions on the list seems pretty broad and include the
>>> >> latest
>>> >> e.g.
>>> >>
>>> >> CKAN 2.2.4 https://data.england.nhs.uk/api/util/status
>>> >> CKAN 2.6.2 https://www.opendatani.gov.uk/api/util/status
>>> >>
>>> >> David
>>> >> _______________________________________________
>>> >> CKAN security
>>> >> https://lists.okfn.org/mailman/listinfo/security
>>> >>
>>> >> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>> >>
>>> >> Repo: https://github.com/ckan/ckan-security
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > CKAN security
>>> > https://lists.okfn.org/mailman/listinfo/security
>>> >
>>> > https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>> >
>>> > Repo: https://github.com/ckan/ckan-security
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security