[CKAN-Security] X-Forwarded-Host HTTP header is always trusted and is used in url_for

• Previous message: [CKAN-Security] X-Forwarded-Host HTTP header is always trusted and is used in url_for
• Next message: [CKAN-Security] Fwd: Security post from philip.ashlock at gsa.gov requires approval
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks for the details.

As of CKAN 2.5 we included code to sanitize the host used in fully
qualified URLs generated by `url_for`, making sure it is using the one
defined in the `ckan.site_url` configuration setting:

https://github.com/ckan/ckan/pull/2599

Would you mind testing if that patch solves the issue? My
understanding is that it will but I might have missed something along
the way.

I guess now it's a good time to mention that a lot has moved forward
on recent CKAN releases :)

Let me know if the patch works and if you need any more details.

Best,

Adrià



On 6 June 2018 at 16:27, John Jediny - QXA <john.jediny at gsa.gov> wrote:
> Here is the full report
>
> On Tue, Jun 5, 2018 at 6:06 PM, Philip Ashlock - QXA
> <philip.ashlock at gsa.gov> wrote:
>>
>> Hello,
>>
>> Data.gov uses CKAN and is participating in a bug bounty program through
>> hackerone.com. We are currently responding to a vulnerability that comes
>> from libraries used by CKAN (specifically the url_for function provided by
>> routes/flask). I haven't seen this reported with routes or flask, but my
>> understanding is that routes is a port of the rails routing functionality
>> and it does look like this vulnerability was reported under rails (also via
>> HackerOne). You can see that vulnerability report here
>> https://github.com/rails/rails/issues/29893
>>
>> If I understand correctly that this is a vulnerability impacting other
>> CKAN instances and it is not something currently being addressed, we wanted
>> to make sure it was brought to your attention. While I am aware that this
>> appears to be caused by upstream libraries, I wanted to start by addressing
>> it with CKAN, because the researcher who reported it to us on HackerOne has
>> indicated they expect to publish their findings soon and include it in a
>> talk at the Black Hat conference and they will likely use CKAN as an
>> example.
>>
>> If you can confirm my understanding of this problem is correct and that it
>> hasn't already been addressed or reported to the upstream libraries
>> (routes/flask), we'd also appreciate assistance in bringing the disclosure
>> to the attention of those developers.
>>
>> If you need more information or a proof of concept beyond the
>> documentation reported with the issue on rails, we'd be happy to provide
>> that.
>>
>> Best,
>> Phil
>>
>>
>
>
>
> --
> Title: IT Specialist
> Program: Data.gov
> Office: Technology Transformation Service (TTS)
> Agency: General Services Administration
> Github: JJediny
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] X-Forwarded-Host HTTP header is always trusted and is used in url_for
• Next message: [CKAN-Security] Fwd: Security post from philip.ashlock at gsa.gov requires approval
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]