[CKAN-Security] XSS for multiple sites

Adrià Mercader adria.mercader at okfn.org
Fri Sep 15 12:50:23 UTC 2017


Let's move the DataPusher related things to a separate thread.

I collected all details regarding the XSS on this issue, let's discuss
there: https://gitlab.com/ckan/ckan-security/issues/24

On 14 September 2017 at 18:41, David Read <david.read at hackneyworkshop.com>
wrote:

> Tyler,
>
> Good spot, and I agree it is a separate issue (which we addressed with
> the recent changes).
>
> I see that the source site that was harvested has the 'onclick' rubbish
> too:
> http://gpdatasets.hscni.net/2017-2018.php
> It seems more like bad PHP rather than an attempted attack, but I
> don't know this area at all well.
>
> I gather that the bugbounty site independently confirms the presence
> of the XSS problem by running automatic tests. So no doubt you're on
> the right path suggesting it is the search form or something similar.
>
> David
>
> On 14 September 2017 at 15:59, Tyler Kennedy <tk at tkte.ch> wrote:
> > Don't believe it's related to this exploit, but if you take a look at the
> > resources on a lot of these sites there are attempted XSS attacks,
> >
> > https://www.opendatani.gov.uk/dataset/gp-prescribing-data/
> resource/44b5267a-c2a5-4876-974c-055cd8d4a135
> >
> > Notice the onclick at the end of the resource URL? If these sites have
> > datapusher and datastore enabled while allowing public access you can do
> fun
> > things like pulling the passwords file or having solr delete itself.
> >
> > On Thu, Sep 14, 2017 at 10:20 AM, Adrià Mercader <
> adria.mercader at okfn.org>
> > wrote:
> >>
> >> > If you are the website owner or administrator please contact the
> >> > researcher directly to get vulnerability details and proceed to
> coordinated
> >> > disclosure.
> >>
> >> I'll try first emailing him and telling him I'm one of the maintainers
> and
> >> if that doesn't work we'll have to do it via a Link Digital / Viderum
> site
> >>
> >> On 14 September 2017 at 15:19, David Read <david.read at hackneyworkshop.
> com>
> >> wrote:
> >>>
> >>> Adria,
> >>>
> >>> I believe you have to be the site owner to get the details.
> >>> *Virderum* run opendatani.gov.uk
> >>> *LinkDigital* run some of the Australian ones. Are any reps from them
> >>> on this list?
> >>>
> >>> David
> >>>
> >>> On 14 September 2017 at 14:02, Adrià Mercader <adria.mercader at okfn.org
> >
> >>> wrote:
> >>> > How does this site work? How can we get the details?
> >>> >
> >>> > On 14 September 2017 at 13:52, David Read
> >>> > <david.read at hackneyworkshop.com>
> >>> > wrote:
> >>> >>
> >>> >> To: CKAN Security list,
> >>> >>
> >>> >> I got alerted to this report of XSS on a number of CKAN sites:
> >>> >>
> >>> >> https://www.openbugbounty.org/reports/294186/
> >>> >>
> >>> >> I don't know the details of the specific problem, but I'm asking via
> >>> >> my contacts.
> >>> >> The CKAN versions on the list seems pretty broad and include the
> >>> >> latest
> >>> >> e.g.
> >>> >>
> >>> >> CKAN 2.2.4 https://data.england.nhs.uk/api/util/status
> >>> >> CKAN 2.6.2 https://www.opendatani.gov.uk/api/util/status
> >>> >>
> >>> >> David
> >>> >> _______________________________________________
> >>> >> CKAN security
> >>> >> https://lists.okfn.org/mailman/listinfo/security
> >>> >>
> >>> >> https://lists.okfn.org/mailman/options/security/
> adria.mercader%40okfn.org
> >>> >>
> >>> >> Repo: https://github.com/ckan/ckan-security
> >>> >
> >>> >
> >>> >
> >>> > _______________________________________________
> >>> > CKAN security
> >>> > https://lists.okfn.org/mailman/listinfo/security
> >>> >
> >>> > https://lists.okfn.org/mailman/options/security/
> david.read%40hackneyworkshop.com
> >>> >
> >>> > Repo: https://github.com/ckan/ckan-security
> >>> _______________________________________________
> >>> CKAN security
> >>> https://lists.okfn.org/mailman/listinfo/security
> >>> https://lists.okfn.org/mailman/options/security/
> adria.mercader%40okfn.org
> >>>
> >>> Repo: https://github.com/ckan/ckan-security
> >>
> >>
> >>
> >> _______________________________________________
> >> CKAN security
> >> https://lists.okfn.org/mailman/listinfo/security
> >> https://lists.okfn.org/mailman/options/security/tk%40tkte.ch
> >>
> >> Repo: https://github.com/ckan/ckan-security
> >
> >
> >
> > _______________________________________________
> > CKAN security
> > https://lists.okfn.org/mailman/listinfo/security
> > https://lists.okfn.org/mailman/options/security/
> david.read%40hackneyworkshop.com
> >
> > Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20170915/0f8161d1/attachment-0001.html>


More information about the Security mailing list