[CKAN-Security] Potential http Cache poisoning
Adrià Mercader
adria.mercader at okfn.org
Mon Apr 29 09:35:09 UTC 2019
One more thing,
Are you using the standard CKAN package installation? Have you customized
the cache settings in Nginx? Can you share your nginx configuration?
Thanks a lot,
Adrià
On Mon, 29 Apr 2019 at 11:32, Adrià Mercader <adria.mercader at okfn.org>
wrote:
> Thanks for the report Cody. We'll discuss it and get back to you as soon
> as we can. Also feel free to join one of our public meetings in case you
> want to discuss it further.
>
> Dev Meetings Notes - HackMD <https://hack.allmende.io/ckan-meeting>
>
> On Mon, 29 Apr 2019 at 11:24, Cody B <codywboyko at gmail.com> wrote:
>
>> Hi there,
>>
>> I've come across this potential bug previously but was unsure if it was a
>> CKAN core issue or just an extension issue. After further testing I
>> believe this is originating in CKAN core.
>>
>> I have further notes on my previous experience with this issue that I'm
>> happy to share if you'd like. Also feel free to let me know of any other
>> way I can assist.
>>
>> *Potential security bug:*
>>
>> CKAN does not seem to pass the correct cache-control headers in some
>> cases. This is allowing cache servers to store some user information and
>> return this information to unauthenticated users. See reproducible steps
>> below. The below example is a simple one to demonstrate. This issue
>> thread
>> <https://github.com/NaturalHistoryMuseum/ckanext-ldap/issues/40#issuecomment-485869920>
>> shows the potential larger issues. Note: when I posted there I didn't
>> really believe this was a larger issue (and I may be wrong).
>>
>> *Reproducible steps:*
>>
>> 1. Clean install of CKAN 2.8 on Ubuntu 16.04 LTS (and on 18.04)
>> following the default Source install documentation
>> <https://docs.ckan.org/en/2.8/maintaining/installing/install-from-source.html>
>> and deployment with NGinx and Apache
>> <https://docs.ckan.org/en/2.8/maintaining/installing/deployment.html>
>> 2. Add new sysadmin user.
>> 3. Navigate to a protected action in a new blueprint
>> (***All browser testing is done in new chrome incognito windows after
>> closing the previous ones***)
>> *Tested example endpoint:* `http://
>> <site-domain>/api/3/action/dashboard_activity_list`
>> 4. The expected response is given: `{"help": "http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
>> "success": false, "error": {"message": "Access denied: You must be logged
>> in to access your dashboard.", "__type": "Authorization Error"}}`
>> 5. New browser - Navigate to same url but pass an Authorization
>> header with a SysAdmin user's API key. (I used a proxy to intercept the
>> request and add the header to keep testing in the browser but presumably
>> this would be the same with a script)
>> 6. The expected response is given: ` {"help": "http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
>> "success": true, "result": [{"user_id":
>> "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6", "timestamp":
>> "2019-04-24T14:59:28.939536", "is_new": false, "object_id":
>> "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6 ", "revision_id": null,
>> "data": {}, "id": "36asdsas1b9-ece6-4a02-b211-f9afdsaabb927",
>> "activity_type": "new user"}]} `
>> Note: it's a brand new site with no data really so no activity, but
>> success is true and this is the expected response.
>> 7. New browser - Navigate to same url without intercepting request or
>> including an authorization header with the API key and you get the same
>> response `{"help": "http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
>> "success": true, "result": [{"user_id":
>> "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6", "timestamp":
>> "2019-04-24T14:59:28.939536", "is_new": false, "object_id":
>> "45ddssaa9c4-dasdas-4451-b29e-c399a2db93d6 ", "revision_id": null, "data":
>> {}, "id": "36asdsas1b9-ece6-4a02-b211-f9afdsaabb927", "activity_type": "new
>> user"}]}`
>> Note: This is a non-authenticated user request, the expected
>> response should be the same as bullet 4.
>> 8. Clear nginx cache or wait for it to expire (default is 30 min). In
>> my case I delete the cache directories, then restart the servers.
>> `sudo rm -rf /tmp/nginx_*`
>> `sudo service nginx restart && sudo service apache2 restart`
>> 9. New browser - Navigate to same url *without* intercepting request
>> or including an authorization header with the API key and you get the
>> expected response as per bullet 4 : `{"help": "http://<domain>/api/3/action/help_show?name=dashboard_activity_list",
>> "success": false, "error": {"message": "Access denied: You must be logged
>> in to access your dashboard.", "__type": "Authorization Error"}}`
>>
>> *What I've noticed:*
>>
>> - This seemed to happen in various areas starting in CKAN 2.8.
>> - A few authorization extensions (issue thread)
>> <https://github.com/NaturalHistoryMuseum/ckanext-ldap/issues/40#issuecomment-485869920>
>> seem to be uncovering this when users login and logout (users can't logout,
>> or user switching is happening). I think this is around the session related
>> info being cached unexpectedly (session cookies?). So even though CKAN
>> tries to clear cookies on logout (`check_session_cookie`, NGinx is
>> returning active session info on some requests.
>> - There was a decent amount of work done on flask blueprints and
>> caching in CKAN around 2.8. I've done some comparisons to 2.7 and 2.8 to
>> see the changes but there are many.
>> - CKAN application code isn't passing the right cache-control header
>> values on some responses which is causing them to be cached when they
>> shouldn't be
>>
>> Thanks,
>> Cody
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190429/96413017/attachment-0001.html>
More information about the Security
mailing list