[CKAN-Security] Information Disclosure -- private dataset existence and metadata to unauthenticated users.

• Previous message: [CKAN-Security] Vulnerability in the WIld
• Next message: [CKAN-Security] Information Disclosure -- private dataset existence and metadata to unauthenticated users.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Versions: 2.8.3 -> 1.3.1

I've checked the 2.8, 2.7, 2.6 and 2.5 branches, and looked at a few other branches back to 1.3.1 and the affected file doesn't appear to have changed significantly in that time.  Current master is different as the affected file has been removed. It may be vulnerable, but has not been checked.

The Revisions controller only checks permissions for: 
  * Changing status of a revision
  * Site Read
  * the Atom feed filters out private datasets, but the regular list controller does not. 

# List Controller:
https://github.com/ckan/ckan/blame/2.8/ckan/controllers/revision.py#L125 <https://github.com/ckan/ckan/blame/2.8/ckan/controllers/revision.py#L125>

This shows all revisions in the system to unauthenticated users at the url /revision.





# Diff Controller:

The diff controller has no access control, and will show field level diffs of changes, once again, a private dataset and an unauthenticated user:




As far as I can tell, this affects all shipping versions of CKAN. 

I've applied for a CVE in relation to this issue. 

Thanks,

Eric



Eric Soroos, Senior Developer
Derilinx - Linked & Open Data Solutions

Web: www.derilinx.com
Email: eric at derilinx.com
Address: Pembroke Hall, 38/39 Fitzwilliam Square West, Dublin 2, D02 NX53
Tel: +353 (0)1 254 4316
Mob: +353 (0)83 8730257
Twitter: @derilinx

-- 
You received this message because you are subscribed to the Google Groups "CKAN Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe at ckan.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191119/7c605c6b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.png
Type: image/png
Size: 96977 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191119/7c605c6b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-2.png
Type: image/png
Size: 110481 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191119/7c605c6b/attachment-0001.png>

• Previous message: [CKAN-Security] Vulnerability in the WIld
• Next message: [CKAN-Security] Information Disclosure -- private dataset existence and metadata to unauthenticated users.
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]