57b01fb655
There is a SQL Injection vulnerability in the
/cgi-bin/koha/opac-tags_subject.pl script.
By manipulating the variable 'number', the database can be accessed
via time-based blind injections.
The following string serves as an example:
/cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
To exploit the vulnerability, no authentication is needed
To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
PROCEDURE ANALYSE
(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
81 lines
2 KiB
Perl
Executable file
81 lines
2 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
# Copyright 2000-2002 Katipo Communications
|
|
#
|
|
# This file is part of Koha.
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Koha; if not, see <http://www.gnu.org/licenses>.
|
|
|
|
|
|
=head1 opac-tags_subject.pl
|
|
|
|
TODO :: Description here
|
|
|
|
=cut
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use C4::Auth;
|
|
use C4::Context;
|
|
use C4::Output;
|
|
use CGI qw ( -utf8 );
|
|
use C4::Biblio;
|
|
use C4::Koha; # use getitemtypeinfo
|
|
|
|
my $query = new CGI;
|
|
|
|
my $dbh = C4::Context->dbh;
|
|
|
|
# open template
|
|
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
|
|
{
|
|
template_name => "opac-tags_subject.tt",
|
|
query => $query,
|
|
type => "opac",
|
|
authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ),
|
|
debug => 1,
|
|
}
|
|
);
|
|
|
|
my $number = $query->param('number') || 100;
|
|
|
|
my $sth = $dbh->prepare("SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT ?");
|
|
$sth->execute($number);
|
|
|
|
my %result;
|
|
my $max=0;
|
|
my $min=9999;
|
|
my ($entry,$weight);
|
|
while (($entry,$weight) = $sth->fetchrow) {
|
|
$result{$entry}=$weight;
|
|
$max = $weight if $weight > $max;
|
|
$min = $weight if $weight < $min;
|
|
}
|
|
|
|
$min++ if $min == $max;
|
|
|
|
my @loop;
|
|
foreach my $entry (sort keys %result) {
|
|
my %line;
|
|
$line{entry} = $entry;
|
|
$line{weight} = int(($result{$entry}-$min)/($max-$min)*25)+10;
|
|
push @loop, \%line;
|
|
}
|
|
$template->param(
|
|
LOOP => \@loop,
|
|
number => $number
|
|
);
|
|
|
|
output_html_with_http_headers $query, $cookie, $template->output;
|