[CKAN-Security] Auth_tkt Cookie Spoofing

Ian Ward ian at excess.org
Mon Dec 9 12:38:46 UTC 2019


Sounds good to me. Those changes should be part of ckan and not rely on
having an extension installed.

On Sun, Dec 8, 2019, 7:09 AM Shubham Mahajan <mr.shubhammahajan at gmail.com>
wrote:

> Hi Ian,
>
> There are two issues here, one issue is the cookie is not invalidating
> even if the user logged out and the second issue is the single cookie is
> the only source of truth here.
>
> I would like to suggest having a timeout on the cookie, because right now
> the cookie is not invalidating even after 10 days also, secondly to manage
> a server-side session also, so that impersonating with cookie will not be
> that much easy.
>
> While implementing this I came across
> https://github.com/data-govt-nz/ckanext-security extension. The extension
> solved the problem, but I would suggest fixing this in core CKAN only. If
> it is okay, I would like to take this issue and fix it and will raise a PR
> once I am satisfied with it. Please give your feedback.
>
> On Thu, Aug 1, 2019 at 6:00 PM Ian Ward <ian at excess.org> wrote:
>
>> Thank you for keeping on us about this Shubham,
>>
>> What do you see as an appropriate fix? Should we be recording the log
>> out on the server side and verifying the cookies against the database
>> on every page view? Would enforcing a time limit on cookies be good
>> enough instead?
>>
>> Ian
>>
>> On Mon, Jul 22, 2019 at 5:00 AM Shubham Mahajan
>> <mr.shubhammahajan at gmail.com> wrote:
>> >
>> > Hi Team
>> >
>> > I am really looking forward to an update in the form of an
>> acknowledgement or a timeline to fix.
>> >
>> >
>> >
>> > On Sun, Jun 30, 2019 at 8:23 PM Shubham Mahajan <
>> mr.shubhammahajan at gmail.com> wrote:
>> >>
>> >> Hi Adrià,
>> >>
>> >> I have tested this scenario with different methods and want to discuss
>> with your team.
>> >> Let me know if you have any questions.
>> >>
>> >>
>> >> On Tue, Mar 12, 2019 at 5:00 PM Shubham Mahajan <
>> mr.shubhammahajan at gmail.com> wrote:
>> >>>
>> >>> Hi Adrià,
>> >>>
>> >>> Any update on the below one?
>> >>>
>> >>> On Tue, Feb 19, 2019 at 5:51 PM Adrià Mercader <
>> adria.mercader at okfn.org> wrote:
>> >>>>
>> >>>> Thanks for the report Shubham,
>> >>>> The tech team will assess this and come back to you as soon as
>> possible.
>> >>>>
>> >>>> Best Regards,
>> >>>>
>> >>>> Adrià
>> >>>>
>> >>>>
>> >>>> On Tue, 19 Feb 2019 at 14:15, Shubham Mahajan <
>> mr.shubhammahajan at gmail.com> wrote:
>> >>>>>
>> >>>>> Hi Team,
>> >>>>>
>> >>>>> I was going through my project and found out security issue in the
>> CKAN core.
>> >>>>>
>> >>>>> ### CKAN Version if known (or site URL)
>> >>>>> ckan - 2.7.2 and https://demo.ckan.org/
>> >>>>>
>> >>>>> ### Please describe the expected behaviour
>> >>>>> The cookie should be invalidated if it is copied from other
>> location or other device or when the user logged out from the device.
>> >>>>>
>> >>>>> ### Please describe the actual behaviour
>> >>>>> Once you logged into the CKAN, the cookie auth_tkt is generated. If
>> I copy this cookie or the attacker got the cookie and open a fresh ckan
>> portal and embedded the same cookie, its allowing to login to ckan portal.
>> >>>>> Even if you logout and use the old cookie, it will allow you to
>> login. Tested in demo.ckan.org also.
>> >>>>>
>> >>>>> ### What steps can be taken to reproduce the issue?
>> >>>>> 1. Login to demo.ckan.org
>> >>>>> 2. Copy auth_tkt cookie.
>> >>>>> 3. Paste that cookie in any other machine or browser or private
>> mode.
>> >>>>>
>> >>>>> It will log you in.
>> >>>>>
>> >>>>> *Even if you logout and login again and logout and use the old
>> cookie, its still working.
>> >>>>>
>> >>>>> --
>> >>>>> Regards,
>> >>>>>
>> >>>>> Shubham Mahajan
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> CKAN security
>> >>>>> https://lists.okfn.org/mailman/listinfo/security
>> >>>>>
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>> >>>>>
>> >>>>> Repo: https://github.com/ckan/ckan-security
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Regards,
>> >>>
>> >>> Shubham Mahajan
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Regards,
>> >>
>> >> Shubham Mahajan
>> >>
>> >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Shubham Mahajan
>> >
>> > _______________________________________________
>> > CKAN security
>> > https://lists.okfn.org/mailman/listinfo/security
>> > https://lists.okfn.org/mailman/options/security/ian%40excess.org
>> >
>> > Repo: https://github.com/ckan/ckan-security
>>
>
>
> --
> Regards,
> Shubham Mahajan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191209/0f5290c0/attachment-0001.html>


More information about the Security mailing list