[CKAN-Security] Auth_tkt Cookie Spoofing
adria.mercader at okfn.org
Tue Feb 19 13:51:41 UTC 2019
Thanks for the report Shubham,
The tech team will assess this and come back to you as soon as possible.
On Tue, 19 Feb 2019 at 14:15, Shubham Mahajan <mr.shubhammahajan at gmail.com>
> Hi Team,
> I was going through my project and found out security issue in the CKAN
> ### CKAN Version if known (or site URL)
> ckan - 2.7.2 and https://demo.ckan.org/
> ### Please describe the expected behaviour
> The cookie should be invalidated if it is copied from other location or
> other device or when the user logged out from the device.
> ### Please describe the actual behaviour
> Once you logged into the CKAN, the cookie auth_tkt is generated. If I copy
> this cookie or the attacker got the cookie and open a fresh ckan portal and
> embedded the same cookie, its allowing to login to ckan portal.
> Even if you logout and use the old cookie, it will allow you to login.
> Tested in demo.ckan.org also.
> ### What steps can be taken to reproduce the issue?
> 1. Login to demo.ckan.org
> 2. Copy auth_tkt cookie.
> 3. Paste that cookie in any other machine or browser or private mode.
> It will log you in.
> *Even if you logout and login again and logout and use the old cookie, its
> still working.
> Shubham Mahajan
> CKAN security
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Security