[CKAN-Security] X-Forwarded-Host HTTP header is always trusted and is used in url_for
John Jediny - QXA
john.jediny at gsa.gov
Wed Jun 6 14:27:47 UTC 2018
Here is the full report
On Tue, Jun 5, 2018 at 6:06 PM, Philip Ashlock - QXA <philip.ashlock at gsa.gov
> wrote:
> Hello,
>
> Data.gov uses CKAN and is participating in a bug bounty program through
> hackerone.com. We are currently responding to a vulnerability that comes
> from libraries used by CKAN (specifically the url_for function provided by
> routes/flask). I haven't seen this reported with routes or flask, but my
> understanding is that routes is a port of the rails routing functionality
> and it does look like this vulnerability was reported under rails (also via
> HackerOne). You can see that vulnerability report here
> https://github.com/rails/rails/issues/29893
>
> If I understand correctly that this is a vulnerability impacting other
> CKAN instances and it is not something currently being addressed, we wanted
> to make sure it was brought to your attention. While I am aware that this
> appears to be caused by upstream libraries, I wanted to start by addressing
> it with CKAN, because the researcher who reported it to us on HackerOne has
> indicated they expect to publish their findings soon and include it in a
> talk at the Black Hat conference and they will likely use CKAN as an
> example.
>
> If you can confirm my understanding of this problem is correct and that it
> hasn't already been addressed or reported to the upstream libraries
> (routes/flask), we'd also appreciate assistance in bringing the disclosure
> to the attention of those developers.
>
> If you need more information or a proof of concept beyond the
> documentation reported with the issue on rails, we'd be happy to provide
> that.
>
> Best,
> Phil
>
>
>
--
Title: IT Specialist
Program: Data.gov <https://catalog.data.gov>
Office: Technology Transformation Service (TTS)
<http://www.gsa.gov/portal/category/25729>
Agency: General Services Administration
Github: JJediny <https://github.com/JJediny>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180606/438cbdd2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HackerOne_Report-tts#303730.zip
Type: application/zip
Size: 622139 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180606/438cbdd2/attachment-0001.zip>
More information about the Security
mailing list