[CKAN-Security] CSS Vulnerability
Stefanie Taepke
stefanie.taepke at liip.ch
Mon Mar 25 08:53:35 UTC 2019
Hey CKAN-Core Team,
we have been made aware of a CSS Vulnerability of our CKAN portals which I am not sure how severe it is.
---
CKAN Versions affected: 2.8.1 and 2.5.2 (Our portals: https://opendata.swiss <https://opendata.swiss/> and https://opentransportdata.swiss <https://opentransportdata.swiss/> )
Reproduce: The Vulnerability that was forwarded to us is found via this link:
https://{CKAN_URL}}/en/api/1/util/snippet/api_info.html?resource_id={{resource_id}}&datastore_root_url=&datastore_root_url=javascript:prompt(%27XSSED%20By%20Hazem%27)/
A click on ‘Example: Javascript >>’ then executes the JavaScript-Command. I was able to reproduce on two of our portals.
—
This was the original mail forwarded to us:
On Fri Mar 22 08:03:00 2019, Hazem Brini <apple.hazem at gmail.com <mailto:apple.hazem at gmail.com>> wrote:
> Hi Team,
>
> I came across one of your government sub domains ,
> https://opentransportdata.swiss <https://opentransportdata.swiss/> and have found a critical bug XSS (
> Reflected).
>
> #Description
>
> Bug Name : XSS (Cross Site Request Reflected )
>
> Vulnerable website : https://opentransportdata.swiss <https://opentransportdata.swiss/>
>
> Vulnerable parameter : datastore_root_url=
>
> Payload : javascript:prompt(document.cookie)/
>
> Vulnerable URL :
> https://opentransportdata.swiss/en/api/1/util/snippet/api_info.html?resource_id=02027869- <https://opentransportdata.swiss/en/api/1/util/snippet/api_info.html?resource_id=02027869->
> bb85-472b-a9d2-
> 4c30b8304fc2&datastore_root_url=&datastore_root_url=javascript:prompt(%27XSSED%20By%20Hazem%27)/
>
>
>
> #Reproduction Steps
>
>
> 1. Open this website:
> https://opentransportdata.swiss/en/api/1/util/snippet/api_info.html?resource_id=02027869- <https://opentransportdata.swiss/en/api/1/util/snippet/api_info.html?resource_id=02027869->
> bb85-472b-a9d2-
> 4c30b8304fc2&datastore_root_url=&datastore_root_url=javascript:prompt(%27XSSED%20By%20Hazem%27)/
>
> 2. Click on the reflected url ( below Query example )
>
> 3. You'll get a XSS popup showing your cookies.
>
>
>
> #POC
>
>
> [image.png]
>
> #For more details about this bug :
> https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) <https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)>
>
> Kind Regards,
> Hazem Brini
Though I am not sure if that is severe or not I wanted to ask if you are aware of that or if it is due to an outdated CKAN-Release or maybe not dangerous at all.
Would be great to hear your thoughts on this. Let me know if I can help you out or if you need more information (though, as of know, I don’t know much more than that)
Thank you and best regards,
Steffi
Github: @stefina <https://github.com/stefina>
--
Liip AG // Limmatstrasse 183 // CH-8005 Zürich
Tel +41 43 500 39 80 // GPG 2E9EE491 // www.liip.ch <http://www.liip.ch/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190325/6a330a51/attachment.html>
More information about the Security
mailing list