[CKAN-Security] Auth_tkt Cookie Spoofing

• Previous message: [CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Adrià,

I have tested this scenario with different methods and want to discuss with
your team.
Let me know if you have any questions.


On Tue, Mar 12, 2019 at 5:00 PM Shubham Mahajan <mr.shubhammahajan at gmail.com>
wrote:

> Hi Adrià,
>
> Any update on the below one?
>
> On Tue, Feb 19, 2019 at 5:51 PM Adrià Mercader <adria.mercader at okfn.org>
> wrote:
>
>> Thanks for the report Shubham,
>> The tech team will assess this and come back to you as soon as possible.
>>
>> Best Regards,
>>
>> Adrià
>>
>>
>> On Tue, 19 Feb 2019 at 14:15, Shubham Mahajan <
>> mr.shubhammahajan at gmail.com> wrote:
>>
>>> Hi Team,
>>>
>>> I was going through my project and found out security issue in the CKAN
>>> core.
>>>
>>> ### CKAN Version if known (or site URL)
>>> ckan - 2.7.2 and https://demo.ckan.org/
>>>
>>> ### Please describe the expected behaviour
>>> The cookie should be invalidated if it is copied from other location or
>>> other device or when the user logged out from the device.
>>>
>>> ### Please describe the actual behaviour
>>> Once you logged into the CKAN, the cookie auth_tkt is generated. If I
>>> copy this cookie or the attacker got the cookie and open a fresh ckan
>>> portal and embedded the same cookie, its allowing to login to ckan portal.
>>> Even if you logout and use the old cookie, it will allow you to login.
>>> Tested in demo.ckan.org also.
>>>
>>> ### What steps can be taken to reproduce the issue?
>>> 1. Login to demo.ckan.org
>>> 2. Copy auth_tkt cookie.
>>> 3. Paste that cookie in any other machine or browser or private mode.
>>>
>>> It will log you in.
>>>
>>> *Even if you logout and login again and logout and use the old cookie,
>>> its still working.
>>>
>>> --
>>> Regards,
>>>
>>> Shubham Mahajan
>>>
>>> _______________________________________________
>>> CKAN security
>>> https://lists.okfn.org/mailman/listinfo/security
>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>
>>> Repo: https://github.com/ckan/ckan-security
>>
>>
>
> --
> Regards,
>
>
> *Shubham Mahajan *
>


-- 
Regards,


*Shubham Mahajan *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190630/cc8b196f/attachment.html>

• Previous message: [CKAN-Security] Fwd: Upcoming CKAN release -- Security patches?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]