[CKAN-Security] SQLi
Adrià Mercader
adria.mercader at okfn.org
Tue May 15 11:46:32 UTC 2018
Hi Leonardo,
Thanks for reaching out.
This is not a vulnerability. This API endpoint is meant to accept SQL
statements as input, to provide a SQL interface to resources stored in
the DataStore. This is explained in the Data API popup that you
mention, and the method is documented in the docs:
http://docs.ckan.org/en/2.8/maintaining/datastore.html#ckanext.datastore.logic.action.datastore_search_sql
The only SQL statements allowed are read only and there are other
safeguards in place.
Hope this makes sense, let me know if you have any questions.
Adrià
On 14 May 2018 at 19:15, Leonardo <leonardo.porpora at firewake.org> wrote:
> Hi there!
>
> I'm going to report a SQLi, to find this SQLi i passed trough an XSS CWE-79.
>
> In a first moment you have datastore_root_url that brings you in "CKAN Data
> API" and shows some examples of queries that you can do.
>
> Modifying the query with a siple SELECT on datastore_search_sql (sql
> parameter) you get the SQLi.
>
> Hope that this data can help you fix this critical vulnerability.
>
> Let me know ASAP
>
> This is a PoC:
> http://www.data.gov.my/data/ms_MY/api/action/datastore_search_sql?sql=SELECT%20*%20from%20%221816aeef-2807-4f19-80b7-63620f90f67c%22
>
> Thanks,
>
> Leonardo Porpora
>
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
More information about the Security
mailing list