[CKAN-Security] a CKAN security vulnerability
David Read
david.read at hackneyworkshop.com
Wed Jan 10 18:30:17 UTC 2018
ixsec,
pl.ckan.net is a long way out of date - CKAN version 2.0.
http://pl.ckan.net/api/util/status
The CKAN tech team no longer provide security patch releases this far back.
I strongly recommend urgent update of the software, or be switched-off.
David
On 9 January 2018 at 01:31, 浅蓝 <blue at ixsec.org> wrote:
> I do not know the current version of CKAN, I found this on a website
> penetration test.
>
> I found a problem CKAN website through search engine.
>
> The website need to login account,You can try this site to understand
> this problem.
>
> http://pl.ckan.net/dataset/asdsad/resource/cf5105aa-703a-
> 475b-8f02-36d3d676877e
>
> ------------------ 原始邮件 ------------------
> *发件人:* "David Read";<david.read at hackneyworkshop.com>;
> *发送时间:* 2018年1月8日(星期一) 晚上10:19
> *收件人:* "CKAN Security Alerts/Discussions"<security at lists.okfn.org>;"浅蓝"<
> blue at ixsec.org>;
> *主题:* Re: [CKAN-Security] a CKAN security vulnerability
>
> Thanks for the alert. However I believe the scheme is checked in all
> current versions of CKAN, and 'javascript:' is not linked. What version of
> CKAN are you running?
>
> David
>
> On 8 January 2018 at 07:15, 浅蓝 <blue at ixsec.org> wrote:
>
>> Hello, I found a XSS vulnerability while using CKAN.
>>
>> The specific operation is as follows.
>>
>> 1.add dataset
>>
>>
>>
>>
>> 2.Next . click "Linke"
>>
>>
>> 3. Input XSS Payload.
>>
>>
>>
>> 4. Click URL link
>>
>>
>>
>>
>>
>> looking forward to your reply.
>>
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/david.read%
>> 40hackneyworkshop.com
>>
>> Repo: https://github.com/ckan/ckan-security
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180110/783dee13/attachment-0001.html>
More information about the Security
mailing list