[CKAN-Security] Auth_tkt Cookie Spoofing

Tue Mar 12 13:00:52 UTC 2019

Hi Adrià,

Any update on the below one?

On Tue, Feb 19, 2019 at 5:51 PM Adrià Mercader <adria.mercader at okfn.org>
wrote:

> Thanks for the report Shubham,
> The tech team will assess this and come back to you as soon as possible.
>
> Best Regards,
>
> Adrià
>
>
> On Tue, 19 Feb 2019 at 14:15, Shubham Mahajan <mr.shubhammahajan at gmail.com>
> wrote:
>
>> Hi Team,
>>
>> I was going through my project and found out security issue in the CKAN
>> core.
>>
>> ### CKAN Version if known (or site URL)
>> ckan - 2.7.2 and https://demo.ckan.org/
>>
>> ### Please describe the expected behaviour
>> The cookie should be invalidated if it is copied from other location or
>> other device or when the user logged out from the device.
>>
>> ### Please describe the actual behaviour
>> Once you logged into the CKAN, the cookie auth_tkt is generated. If I
>> copy this cookie or the attacker got the cookie and open a fresh ckan
>> portal and embedded the same cookie, its allowing to login to ckan portal.
>> Even if you logout and use the old cookie, it will allow you to login.
>> Tested in demo.ckan.org also.
>>
>> ### What steps can be taken to reproduce the issue?
>> 1. Login to demo.ckan.org
>> 2. Copy auth_tkt cookie.
>> 3. Paste that cookie in any other machine or browser or private mode.
>>
>> It will log you in.
>>
>> *Even if you logout and login again and logout and use the old cookie,
>> its still working.
>>
>> --
>> Regards,
>>
>> Shubham Mahajan
>>
>> _______________________________________________
>> CKAN security
>> https://lists.okfn.org/mailman/listinfo/security
>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>
>> Repo: https://github.com/ckan/ckan-security
>
>

-- 
Regards,

*Shubham Mahajan *
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190312/6343bd25/attachment.html>