[CKAN-Security] X-Forwarded-Host HTTP header is always trusted and is used in url_for

Philip Ashlock - QXA philip.ashlock at gsa.gov
Tue Jun 5 22:06:37 UTC 2018


Hello,

Data.gov uses CKAN and is participating in a bug bounty program through
hackerone.com. We are currently responding to a vulnerability that comes
from libraries used by CKAN (specifically the url_for function provided by
routes/flask). I haven't seen this reported with routes or flask, but my
understanding is that routes is a port of the rails routing functionality
and it does look like this vulnerability was reported under rails (also via
HackerOne). You can see that vulnerability report here
https://github.com/rails/rails/issues/29893

If I understand correctly that this is a vulnerability impacting other CKAN
instances and it is not something currently being addressed, we wanted to
make sure it was brought to your attention. While I am aware that this
appears to be caused by upstream libraries, I wanted to start by addressing
it with CKAN, because the researcher who reported it to us on HackerOne has
indicated they expect to publish their findings soon and include it in a
talk at the Black Hat conference and they will likely use CKAN as an
example.

If you can confirm my understanding of this problem is correct and that it
hasn't already been addressed or reported to the upstream libraries
(routes/flask), we'd also appreciate assistance in bringing the disclosure
to the attention of those developers.

If you need more information or a proof of concept beyond the documentation
reported with the issue on rails, we'd be happy to provide that.

Best,
Phil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180605/57c2be7a/attachment.html>


More information about the Security mailing list