[CKAN-Security] Possible security issues
Adrià Mercader
adria.mercader at okfn.org
Wed May 2 10:10:00 UTC 2018
Hi David,
Thanks for reaching out.
Regarding the first issue you raise, this vulnerability was fixed on a
previous patch release for 2.6. You should always run the latest patch
release (2.6.5) as it contains security fixes like this one. We don't
explicitly mention all security related patches in the changelog to not put
out of date sites like yours at risk. Updating to the latest patch release
is very easy and does not introduce backwards-incompatible changes [1].
Regarding the second issue, this looks indeed like it should be addressed.
There are no immediate plans to work on this, but we'll create an issue to
track it. Would you be willing to submit a Pull request?
In the meantime overriding the templates is your best option.
Many thanks
Adrià
[1] http://docs.ckan.org/en/latest/maintaining/upgrading/
index.html#upgrade-ckan
On 30 April 2018 at 15:42, SANDBERG David <david.sandberg at soprasteria.com>
wrote:
> Dear CKAN security team,
>
>
>
> I am working as a consultant developer for a customer in Stockholm, Sweden
> and using CKAN as my primary platform for storing data. When our security
> team scanned the applications currently used, they found two potential
> security issues in the CKAN platform that I would like to ask you about. I
> am currently using CKAN 2.6.2 but have not seen any release notes for later
> versions mentioning fixes to these issues. I have also tried searching the
> Github issues regarding these questions but have not found any answers.
> Perhaps you can help me clarify some things?
>
>
>
> 1. HTML Injection: The api_info.html file in /ajax_snippets is
> susceptible to HTML Injection. Example request:
> http://localhost/api/1/util/snippet/api_info.html?resource_
> id=00000000-0000-0000-0000-000000000000
> <http://localhost/api/1/util/snippet/api_info.html?resource_id=00000000-0000-0000-0000-000000000000>.
> Is this file really necessary, since all the API:s are described in detail
> on the CKAN webpage?
> 2. External links using target=’_blank’: For example, the Social links
> present under each dataset has the target=’_blank’, which poses a security
> risk. I was wondering if there are any plans to provide the possibility to
> configure this attribute in the config file (or by default add the
> ‘rel=noopener’ attribute to tags containing the target=’_blank’ attribute),
> or if it’s up to the developer to create new templates that override this
> functionality?
>
>
>
> I look forward to your response. Thank you in advance.
>
>
>
> Best regards
>
>
> * David SANDBERG*
>
> Developer
>
> *[image: Sopra Steria]*
>
> Sopra Steria
> Vasagatan 38
> SE-111 20 Stockholm - Sweden
> Phone: +46 8 587 650 00
> david.sandberg at soprasteria.com - www.soprasteria.se
>
>
> <https://www.linkedin.com/company/soprasteria>
> <https://www.facebook.com/soprasteria.se>
> <https://twitter.com/SopraSteria_se> <http://blog.soprasteria.com/>
>
> The content of this message may be confidential, legally privileged and
> protected by law. Unauthorized use, copying or disclosure of any of it may
> be unlawful. If you are not the intended recipient please notify the sender
> and remove it from your system. While attachments to this e-mail are
> checked for viruses, we do not accept any liability for any damage
> sustained by viruses.
> Before printing, think about the environment.
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180502/b0168fa0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 4959 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180502/b0168fa0/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 470 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180502/b0168fa0/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 694 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180502/b0168fa0/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 482 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180502/b0168fa0/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 559 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20180502/b0168fa0/attachment-0004.png>
More information about the Security
mailing list