[CKAN-Security] Information Disclosure -- private dataset existence and metadata to unauthenticated users.

Adrià Mercader adria.mercader at okfn.org
Mon Nov 25 13:20:30 UTC 2019


Hi Eric,

Thanks for the report. I can confirm this is an issue.

Attached is a patch that restricts private datasets on that controller
endpoints. Can you give it a try to confirm it works as expected?
We'll include it in our next patch release.

The old /revision/* controller has been removed in master (upcoming 2.9).I
personally tend to disable it on existing projects (with a simple redirect
on the custom plugin).

Thanks again,

Adrià

On Mon, 25 Nov 2019 at 10:50, Eric Soroos <eric at derilinx.com> wrote:

> Versions: 2.8.3 -> 1.3.1
>
> I've checked the 2.8, 2.7, 2.6 and 2.5 branches, and looked at a few other
> branches back to 1.3.1 and the affected file doesn't appear to have changed
> significantly in that time.  Current master is different as the affected
> file has been removed. It may be vulnerable, but has not been checked.
>
> The Revisions controller only checks permissions for:
>   * Changing status of a revision
>   * Site Read
>   * the Atom feed filters out private datasets, but the regular list
> controller does not.
>
> # List Controller:
> https://github.com/ckan/ckan/blame/2.8/ckan/controllers/revision.py#L125
>
> This shows all revisions in the system to unauthenticated users at the url
> /revision.
>
>
>
> # Diff Controller:
>
> The diff controller has no access control, and will show field level diffs
> of changes, once again, a private dataset and an unauthenticated user:
>
>
>
> As far as I can tell, this affects all shipping versions of CKAN.
>
> I've applied for a CVE in relation to this issue.
>
> Thanks,
>
> Eric
>
>
>
> Eric Soroos, Senior Developer
> Derilinx - Linked & Open Data Solutions
>
> Web: www.derilinx.com
> Email: eric at derilinx.com <eric at derilinx.com>
> Address: Pembroke Hall, 38/39 Fitzwilliam Square West, Dublin 2, D02 NX53
> Tel: +353 (0)1 254 4316
> Mob: +353 (0)83 8730257
> Twitter: @derilinx
>
> --
> You received this message because you are subscribed to the Google Groups
> "CKAN Security" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security+unsubscribe at ckan.org.
>

-- 
You received this message because you are subscribed to the Google Groups "CKAN Security" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe at ckan.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191125/ded0c49b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.png
Type: image/png
Size: 96977 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191125/ded0c49b/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-2.png
Type: image/png
Size: 110481 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191125/ded0c49b/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: revisions_private_datasets.diff
Type: text/x-patch
Size: 2172 bytes
Desc: not available
URL: <https://lists.okfn.org/mailman/private/security/attachments/20191125/ded0c49b/attachment-0001.bin>


More information about the Security mailing list