[CKAN-Security] ckan 2.7.2 vulnerability isuues

• Previous message: [CKAN-Security] ckan 2.7.2 vulnerability isuues
• Next message: [CKAN-Security] data modifications using GET
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Michael,

Many thanks for your report. Sorry for the delay in coming back to you.
We'll discuss the issues with the rest of the tech team and come back
to you as soon as possible.

Adrià

On 7 May 2018 at 17:22, Michael Beilin <michaelb at cio.gov.il> wrote:
> Hi,
>
>
>
> We are using CKAN 2.7.2 instance in our organization and there are some
> vulnerability issues were founded by our application security team.
>
> We can't deploy to production env without solving this.
>
> Can you please confirm or refute the following problems?
>
> Regards
>
>
>
>
>
> 1.       Connection String Injection
>
> Severity High
>
> Method _get_config at line 185 of
> /ckan-small/default/src/ckan/ckan/lib/cli.py gets user input from the get
>
> element. This element’s value flows through the code without being properly
> sanitized or validated, and is
>
> eventually used in a connection string in rebuild_fast at line 603 of
> /ckan-small/default/src/ckan/ckan/lib/cli.py.
>
> This may enable a Connection String Injection attack.
>
> Source Destination
>
> File /ckansmall/
>
> default/src/ckan/ckan/lib/cli.py
>
> /ckansmall/
>
> default/src/ckan/ckan/lib/cli.py
>
> Line 192 609
>
> Object get engine
>
> Code Snippet
>
> File Name /ckan-small/default/src/ckan/ckan/lib/cli.py
>
> Method def _get_config(config=None):
>
> ....
>
> 192. filename = os.environ.get('CKAN_INI')
>
> File Name /ckan-small/default/src/ckan/ckan/lib/cli.py
>
> Method def rebuild_fast(self):
>
> ....
>
> 609. engine = sa.create_engine(db_url)
>
>
>
>
>
> 2.       Cross Site History Manipulation
>
> Severity Medium
>
> Method job_listener at line 172 of
> /ckan-small/default/lib/python2.7/site-packages/ckanserviceprovider/web.py
>
> may leak server-side conditional values, enabling user tracking from another
> website. This may constitute a
>
> Privacy Violation.
>
> Source Destination
>
> File /ckan-small/default/lib/python2.7/sitepackages/
>
> ckanserviceprovider/web.py
>
> /ckan-small/default/lib/python2.7/sitepackages/
>
> ckanserviceprovider/web.py
>
> Line 195 195
>
> Object if if
>
> Code Snippet
>
> File Name
> /ckan-small/default/lib/python2.7/site-packages/ckanserviceprovider/web.py
>
> Method def job_listener(event):
>
> ....
>
> 195. if "_TEST_CALLBACK_URL" in app.config:
>
> 3 .  Cross Site History Manipulation
>
> PAGE 172 OF 485
>
> Severity Medium
>
> Method redirect_to at line 135 of
> /ckan-small/default/src/ckan/build/lib.linux-x86_64-2.7/ckan/lib/helpers.py
>
> may leak server-side conditional values, enabling user tracking from another
> website. This may constitute a
>
> Privacy Violation.
>
> Source Destination
>
> File /ckansmall/
>
> default/src/ckan/build/lib.linuxx86_
>
> 64-2.7/ckan/lib/helpers.py
>
> /ckansmall/
>
> default/src/ckan/build/lib.linuxx86_
>
> 64-2.7/ckan/lib/helpers.py
>
> Line 184 184
>
> Object if if
>
> Code Snippet
>
> File Name
> /ckan-small/default/src/ckan/build/lib.linux-x86_64-2.7/ckan/lib/helpers.py
>
> Method def redirect_to(*args, **kw):
>
> ....
>
> 184. if is_flask_request():
>
>
>
>
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security

• Previous message: [CKAN-Security] ckan 2.7.2 vulnerability isuues
• Next message: [CKAN-Security] data modifications using GET
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]