[CKAN-Security] Auth_tkt Cookie Spoofing

Shubham Mahajan mr.shubhammahajan at gmail.com
Tue Feb 19 12:58:11 UTC 2019

Hi Team,

I was going through my project and found out security issue in the CKAN

### CKAN Version if known (or site URL)
ckan - 2.7.2 and https://demo.ckan.org/

### Please describe the expected behaviour
The cookie should be invalidated if it is copied from other location or
other device or when the user logged out from the device.

### Please describe the actual behaviour
Once you logged into the CKAN, the cookie auth_tkt is generated. If I copy
this cookie or the attacker got the cookie and open a fresh ckan portal and
embedded the same cookie, its allowing to login to ckan portal.
Even if you logout and use the old cookie, it will allow you to login.
Tested in demo.ckan.org also.

### What steps can be taken to reproduce the issue?
1. Login to demo.ckan.org
2. Copy auth_tkt cookie.
3. Paste that cookie in any other machine or browser or private mode.

It will log you in.

*Even if you logout and login again and logout and use the old cookie, its
still working.


Shubham Mahajan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190219/07241138/attachment.html>

More information about the Security mailing list