[CKAN-Security] CSS Vulnerability

Tue Mar 26 12:56:31 UTC 2019

Hi Stefanie,

Thanks for reaching out. The vulnerability that you mentioned was patched a
while ago. The actual patch is this one:

https://github.com/ckan/ckan/commit/a756b27def632038a88dacef5c07f7d99d17580e

This was included on 2.8, so all versions on that line should not be
affected.
For CKAN 2.5 the fix was included in the patch releases so upgrading to the
latest patch release (2.5.9) should address the issue. Note that 2.5.x is
no longer maintained so we recommend upgrading to a newer CKAN version when
possible.

Hope this helps, let me know if you have any question.

Best,

Adrià

On Mon, 25 Mar 2019 at 10:06, Stefanie Taepke <stefanie.taepke at liip.ch>
wrote:

> Hey CKAN-Core Team,
>
> we have been made aware of a CSS Vulnerability of our CKAN portals which I
> am not sure how severe it is.
>
> ---
> *CKAN Versions affected*: 2.8.1 and 2.5.2 (Our portals:
> https://opendata.swiss and https://opentransportdata.swiss )
>
> *Reproduce: *The Vulnerability that was forwarded to us is found via this
> link:
>
> https://
> {CKAN_URL}}/en/api/1/util/snippet/api_info.html?resource_id={{resource_id}}&datastore_root_url=&datastore_root_url=javascript:prompt(%27XSSED%20By%20Hazem%27)/
>
> A click on ‘Example: Javascript >>’ then executes the JavaScript-Command.
> I was able to reproduce on two of our portals.
>
> —
> This was the original mail forwarded to us:
> On Fri Mar 22 08:03:00 2019, Hazem Brini <apple.hazem at gmail.com> wrote:
>
> Hi Team,
>
> I came across one of your government sub domains ,
> https://opentransportdata.swiss and have found a critical bug XSS (
> Reflected).
>
> #Description
>
> Bug Name :  XSS (Cross Site Request Reflected )
>
> Vulnerable website : https://opentransportdata.swiss
>
> Vulnerable parameter : datastore_root_url=
>
> Payload : javascript:prompt(document.cookie)/
>
> Vulnerable URL :
>
> https://opentransportdata.swiss/en/api/1/util/snippet/api_info.html?resource_id=02027869-
> bb85-472b-a9d2-
>
> 4c30b8304fc2&datastore_root_url=&datastore_root_url=javascript:prompt(%27XSSED%20By%20Hazem%27)/
>
>
>
> #Reproduction Steps
>
>
> 1. Open this website:
>
> https://opentransportdata.swiss/en/api/1/util/snippet/api_info.html?resource_id=02027869-
> bb85-472b-a9d2-
>
> 4c30b8304fc2&datastore_root_url=&datastore_root_url=javascript:prompt(%27XSSED%20By%20Hazem%27)/
>
> 2. Click on the reflected url ( below Query example )
>
> 3. You'll get a XSS popup showing your cookies.
>
>
>
> #POC
>
>
> [image.png]
>
> #For more details about this bug :
> https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
>
> Kind Regards,
> Hazem Brini
>
>
>
> Though I am not sure if that is severe or not I wanted to ask if you are
> aware of that or if it is due to an outdated CKAN-Release or maybe not
> dangerous at all.
>
> Would be great to hear your thoughts on this. Let me know if I can help
> you out or if you need more information (though, as of know, I don’t know
> much more than that)
>
>
> Thank you and best regards,
> Steffi
>
>
> Github: @stefina <https://github.com/stefina>
> --
>
> Liip AG // Limmatstrasse 183 // CH-8005 Zürich
> Tel +41 43 500 39 80 // GPG 2E9EE491 // www.liip.ch
>
> _______________________________________________
> CKAN security
> https://lists.okfn.org/mailman/listinfo/security
> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>
> Repo: https://github.com/ckan/ckan-security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20190326/3258690f/attachment-0001.html>