[CKAN-Security] SQL Injection Vulnerability

Adrià Mercader adria.mercader at okfn.org
Mon Jun 11 20:21:28 UTC 2018 

Hi Gonzalo,

After looking at your report it seems like this issue was fixed in
CKAN starting from version 2.3. The site that you are linking to
(http://risp.puertosdetenerife.org) is running a really old version of
CKAN (2.2) so we suggest that it is upgraded to a more recent (and
supported) version. There is extensive documentation on how to upgrade
a CKAN instance:

http://docs.ckan.org/en/2.8/maintaining/upgrading/index.html#upgrade-ckan

In case you want to apply the fix manually, these are the commit
including the fixes:

https://github.com/ckan/ckan/commit/4afd924f94000812d5896e3eb2e1931cb844983f
https://github.com/ckan/ckan/commit/9d7295b360484fbbff060406771c551093c0b602
https://github.com/ckan/ckan/commit/09600a84374dfa56052846dfaaac60e6b502257d

Are you one of the maintainers of the site risp.puertosdetenerife.org
or can contact them? It would be great if the site could be upgraded
to a newer version to avoid this and other vulnerabilities.

Hope this helps, please let us know if you need more details.

Best,

Adrià




On 8 June 2018 at 22:32, Adrià Mercader <adria.mercader at okfn.org> wrote:
> Hi Gonzalo,
>
> Thanks for your report. We will assess it as soon as possible and get
> back to you.
>
> Best,
>
> Adrià
>
> On 8 June 2018 at 12:37, Gonzalo Garcia | ODS Red Team
> <gonzalo.g at opendatasecurity.io> wrote:
>> Hi, I've found a SQL Injection vulnerability on
>> /api/3/action/datastore_search. I've exploited it on "q" parameter, but
>> maybe other parameters are affected too.
>>
>> Example POST data:
>> Query fails
>> {"resource_id":"38a8888c-30fd-4002-810e-6b7fe87a6fb2","q":" ' "
>> ,"filters":{},"limit":100,"offset":0}
>>
>> Query doesn't fail because PostgreSQL version string is "PostrgreSQL..." and
>> "o" is the second char of the string.
>> {"resource_id":"38a8888c-30fd-4002-810e-6b7fe87a6fb2","q":"'|| (SELECT CASE
>> substr(version(),2,1) WHEN 'o' THEN 'A' ELSE sleep(5) END) ||'"
>> ,"filters":{},"limit":100,"offset":0}
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security

More information about the Security mailing list