[CKAN-Security] Potential http Cache poisoning

Cody B codywboyko at gmail.com
Wed Apr 24 16:11:33 UTC 2019 

Hi there,

I've come across this potential bug previously but was unsure if it was a
CKAN core issue or just an extension issue.  After further testing I
believe this is originating in CKAN core.

I have further notes on my previous experience with this issue that I'm
happy to share if you'd like. Also feel free to let me know of any other
way I can assist.

*Potential security bug:*

CKAN does not seem to pass the correct cache-control headers in some cases.
This is allowing cache servers to store some user information and return
this information to unauthenticated users. See reproducible steps below.
The below example is a simple one to demonstrate. This issue thread
<https://github.com/NaturalHistoryMuseum/ckanext-ldap/issues/40#issuecomment-485869920>
shows the potential larger issues. Note: when I posted there I didn't
really believe this was a larger issue (and I may be wrong).

*Reproducible steps:*

   1. Clean install of CKAN 2.8 on Ubuntu 16.04 LTS (and on 18.04)
   following the default Source install documentation
   <https://docs.ckan.org/en/2.8/maintaining/installing/install-from-source.html>
   and deployment with NGinx and Apache
   <https://docs.ckan.org/en/2.8/maintaining/installing/deployment.html>
   2. Add new sysadmin user.
   3. Navigate to a protected action in a new blueprint
   (***All browser testing is done in new chrome incognito windows after
   closing the previous ones***)
   *Tested example endpoint:* `http://
   <site-domain>/api/3/action/dashboard_activity_list`
   4. The expected response is given: `{"help":
"http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
   "success": false, "error": {"message": "Access denied: You must be logged
   in to access your dashboard.", "__type": "Authorization Error"}}`
   5. New browser - Navigate to same url but pass an Authorization header
   with a SysAdmin user's API key. (I used a proxy to intercept the request
   and add the header to keep testing in the browser but presumably this would
   be the same with a script)
   6. The expected response is given: ` {"help":
"http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
   "success": true, "result": [{"user_id":
   "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6", "timestamp":
   "2019-04-24T14:59:28.939536", "is_new": false, "object_id":
   "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6 ", "revision_id": null,
   "data": {}, "id": "36asdsas1b9-ece6-4a02-b211-f9afdsaabb927",
   "activity_type": "new user"}]}  `
   Note: it's a brand new site with no data really so no activity, but
   success is true and this is the expected response.
   7. New browser - Navigate to same url without intercepting request or
   including an authorization header with the API key and you get the same
   response `{"help":
"http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
   "success": true, "result": [{"user_id":
   "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6", "timestamp":
   "2019-04-24T14:59:28.939536", "is_new": false, "object_id":
   "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6 ", "revision_id": null, "data":
   {}, "id": "36asdsas1b9-ece6-4a02-b211-f9afdsaabb927", "activity_type": "new
   user"}]}`
    Note: This is a non-authenticated user request, the expected response
   should be the same as bullet 4.
   8. Clear nginx cache or wait for it to expire (default is 30 min). In my
   case I delete the cache directories, then restart the servers.
   `sudo rm -rf /tmp/nginx_*`
   `sudo service nginx restart && sudo service apache2 restart`
   9. New browser - Navigate to same url *without* intercepting request or
   including an authorization header with the API key and you get the expected
   response as per bullet 4 : `{"help":
"http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
   "success": false, "error": {"message": "Access denied: You must be logged
   in to access your dashboard.", "__type": "Authorization Error"}}`

*What I've noticed:*

   - This seemed to happen in various areas starting in CKAN 2.8.
   - A few authorization extensions (issue thread)
   <https://github.com/NaturalHistoryMuseum/ckanext-ldap/issues/40#issuecomment-485869920>
   seem to be uncovering this when users login and logout (users can't logout,
   or user switching is happening). I think this is around the session related
   info being cached unexpectedly (session cookies?). So even though CKAN
   tries to clear cookies on logout (`check_session_cookie`, NGinx is
   returning active session info on some requests.
   - There was a decent amount of work done on flask blueprints and caching
   in CKAN around 2.8. I've done some comparisons to 2.7 and 2.8 to see the
   changes but there are many.
   - CKAN application code isn't passing the right cache-control header
   values on some responses which is causing them to be cached when they
   shouldn't be

Thanks,
Cody
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190424/4efa6596/attachment.html>

More information about the Security mailing list