[CKAN-Security] Fwd: Security post from philip.ashlock at gsa.gov requires approval

Wed Jun 6 08:20:16 UTC 2018

Not sure if this email from Philip got through to the security list so
forwarding again.

---------- Forwarded message ----------
From: Philip Ashlock - QXA <philip.ashlock at gsa.gov>
To: security at ckan.org
Cc: John Jediny - XAAB <john.jediny at gsa.gov>, Hyon Kim - XI <hyon.kim at gsa.gov>
Bcc:
Date: Tue, 5 Jun 2018 18:06:37 -0400
Subject: X-Forwarded-Host HTTP header is always trusted and is used in url_for
Hello,

Data.gov uses CKAN and is participating in a bug bounty program
through hackerone.com. We are currently responding to a vulnerability
that comes from libraries used by CKAN (specifically the url_for
function provided by routes/flask). I haven't seen this reported with
routes or flask, but my understanding is that routes is a port of the
rails routing functionality and it does look like this vulnerability
was reported under rails (also via HackerOne). You can see that
vulnerability report here https://github.com/rails/rails/issues/29893

If I understand correctly that this is a vulnerability impacting other
CKAN instances and it is not something currently being addressed, we
wanted to make sure it was brought to your attention. While I am aware
that this appears to be caused by upstream libraries, I wanted to
start by addressing it with CKAN, because the researcher who reported
it to us on HackerOne has indicated they expect to publish their
findings soon and include it in a talk at the Black Hat conference and
they will likely use CKAN as an example.

If you can confirm my understanding of this problem is correct and
that it hasn't already been addressed or reported to the upstream
libraries (routes/flask), we'd also appreciate assistance in bringing
the disclosure to the attention of those developers.

If you need more information or a proof of concept beyond the
documentation reported with the issue on rails, we'd be happy to
provide that.

Best,
Phil