[CKAN-Security] data modifications using GET

Thu Apr 12 17:41:28 UTC 2018

So a CSRF risk - dupe someone to click on one of these links and you
could change the user's email address to yours, do a password reset
and you control the user account.

Agreed, that's bad. Is there anything else to it I've missed?

Dave

On 12 April 2018 at 16:31, Ian Ward <ian at excess.org> wrote:
> Yes, this one is very bad. There is some checking for POST in the
> package controller but it seems like almost every method does it
> differently.. We'll have to audit them all.
>
> On Thu, Apr 12, 2018 at 10:57 AM, JD Bothma <jd at openup.org.za> wrote:
>> Hi there
>>
>> Isn't it a serious security issue to allow data modification via GET
>> requests?
>>
>> e.g. curl -v
>> 'https://data.vulekamali.gov.za/user/edit/jd?name=jd&fullname=Jan+D+Bothma&email=jd%40openup.org.za&about=&old_password=&password1=&password2=&save='
>> -H 'cookie:...' ...
>>
>> This changed my display name. Haven't checked if you can modify datasets
>> this way.
>>
>> Further, since GET is whitelisted this CSRF protection isn't effective
>> https://github.com/data-govt-nz/ckanext-security/blob/master/ckanext/security/middleware.py#L23
>>
>> Do you know of a way to stop modifications with GET other than modifying the
>> controllers? It looks like the same controllers are used for GET and POST
>> which means we can't just add method conditions in routing.py
>> https://thejimmyg.github.io/pylonsbook/en/1.0/urls-routing-and-dispatch.html
>>
>> Best
>> JD
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/ian%40excess.org
>>
>> Repo: https://github.com/ckan/ckan-security
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>
> Repo: https://github.com/ckan/ckan-security