Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/C4
History
Chris Nighswonger b0f60221f4 Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks 
This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.

---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.

For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").

This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).

Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...

SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.

Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-02-25 07:08:39 +13:00
..
AuthoritiesMarc Bug 5385: POD Cleanups (part 1) 2010-11-12 10:06:55 +13:00
Barcodes Bug 5385 - Fixing an error that crept in with the POD cleanup 2010-11-12 10:42:19 +13:00
Cache Bug 5385: POD Cleanups (part 1) 2010-11-12 10:06:55 +13:00
ClassSortRoutine replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Creators bug 4306: respect item-level_itypes when displaying item label batches 2011-02-14 10:09:05 +13:00
External Bug 5385: POD Cleanups (part 1) 2010-11-12 10:06:55 +13:00
Form Follow up on Bug 5462: fixing variable names breaks messaging preference form 2011-02-17 08:50:26 +13:00
Heading Bug 5385: POD Cleanups (part 1) 2010-11-12 10:06:55 +13:00
ILSDI Bug 5450 Avoid a name clash in ILSDI modules 2010-12-01 10:05:51 +13:00
Installer bug 5389: mark Business::ISBN as a required dependency 2010-11-12 14:31:56 +13:00
Labels fixing various links to point to *.koha-community.org 2010-10-21 22:08:24 -04:00
Members Follow up on Bug 5462: fixing variable names breaks messaging preference form 2011-02-17 08:50:26 +13:00
Output Fix FSF address in directory C4/ 2010-03-16 20:17:56 -04:00
Patroncards fixing various links to point to *.koha-community.org 2010-10-21 22:08:24 -04:00
Reports Merge remote branch 'kc/new/biblibre_reports' into kcmaster 2010-12-14 06:31:00 +13:00
Search Bug 5385: POD Cleanups (part 1) 2010-11-12 10:06:55 +13:00
SIP Merge remote branch 'kc/new/bug_5586' into kcmaster 2011-01-24 07:21:47 +13:00
tests Bug 2505 - Add commented use warnings where missing in the C4/ directory 2010-04-21 20:25:32 +12:00
VirtualShelves Merge remote branch 'kc/new/enh/bug_5560' into kcmaster 2011-01-10 09:11:50 +13:00
Accounts.pm fixing various links to point to *.koha-community.org 2010-10-21 22:08:24 -04:00
Acquisition.pm (bug #3737) fix title search in order history 2011-01-11 08:57:07 +13:00
Auth.pm Follow-up correction for Bug 5462 - Fix variable names for template::toolkit 2011-02-08 21:03:28 +13:00
Auth_with_cas.pm MT3186: Remove warnings from Auth_with_cas 2010-04-23 06:55:13 -04:00
Auth_with_ldap.pm bug 4256: fix patron replication when using LDAP with auth_by_bind 2010-04-30 17:05:38 -04:00
AuthoritiesMarc.pm Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks 2011-02-25 07:08:39 +13:00
BackgroundJob.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Barcodes.pm Bug 5681: Fixes leading zeroes in Add Mulpiple Copies 2011-02-03 10:08:50 +13:00
Biblio.pm Fixing a syntax error, that snuck in with a merge 2011-02-03 22:52:36 +13:00
Bookseller.pm Bug 5186 - allow tax rates to be set to zero (master) 2010-12-21 14:34:05 +13:00
Boolean.pm Bug 5448: Refactor Boolean.pm 2010-12-02 08:51:33 +13:00
Branch.pm Bug 5634: BZ5634 order branch list alphabetically, without taking care of uc/lc 2011-01-20 19:49:34 +13:00
Breeding.pm Fix FSF address in directory C4/ 2010-03-16 20:17:56 -04:00
Budgets.pm Bug 5084 - hide funds that are part of an inactive budget 2010-12-14 15:07:51 +13:00
Cache.pm Bug 5363 - Removing unused module (C4::Cache::FastMemcached) 2010-11-04 20:05:36 +13:00
Calendar.pm Fix for Bug 4991, Overhaul of Calendar interface 2010-11-02 15:02:54 +13:00
Category.pm POD Cleanups 2010-06-09 08:38:59 -04:00
Charset.pm NormalizeString POD Fixing and variable renaming 2011-02-18 10:39:56 +13:00
Circulation.pm Bug 3881: OPAC Privacy reimplementation 2011-01-31 22:23:50 +13:00
ClassSortRoutine.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
ClassSource.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Context.pm remove old revision history notes from a couple files 2010-06-25 05:18:44 -04:00
Contract.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Creators.pm Fix some compile time errors reported in test suite 2010-12-02 08:53:53 +13:00
Csv.pm Bug 2505 - Add commented use warnings where missing in *.pm 2010-04-21 20:28:51 +12:00
Dates.pm Fix for Bug 4473 - Recent comments view for the OPAC 2010-12-13 09:43:01 +13:00
Debug.pm More POD cleanups 2010-06-09 08:38:58 -04:00
Heading.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
ImportBatch.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Input.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Installer.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
ItemCirculationAlertPreference.pm POD Cleanups 2010-06-09 08:38:59 -04:00
Items.pm Bug 4263: Remove duplicated lines from C4::Items 2011-02-14 09:05:36 +13:00
ItemType.pm POD Cleanups 2010-06-09 08:38:59 -04:00
Koha.pm New icon set, renaming and making files in the intranet too 2011-01-19 14:42:46 +13:00
Labels.pm Bringing label, patroncard, and creator modules into conformity with the rest of C4 style. 2010-02-08 20:54:34 -05:00
Languages.pm bug 4188: move PDF templates for printed purchase orders 2010-07-02 08:49:44 -04:00
Letters.pm Bug 4211: This patch should provide a working way to send out mail from suggestions 2010-11-30 06:47:52 +13:00
Log.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Maintainance.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Matcher.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Members.pm Bug 3881: OPAC Privacy reimplementation 2011-01-31 22:23:50 +13:00
Message.pm POD Cleanups 2010-06-09 08:38:59 -04:00
NewsChannels.pm Fix FSF address in directory C4/ 2010-03-16 20:17:56 -04:00
Output.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Overdues.pm Partial fix for Bug 5745, Overdues with fines report not showing titles 2011-02-15 10:12:36 +13:00
Patroncards.pm Fix some compile time errors reported in test suite 2010-12-02 08:53:53 +13:00
Print.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Record.pm remove two disused functions 2010-10-21 20:31:51 -04:00
Reports.pm More POD cleanups 2010-06-09 08:38:58 -04:00
Reserves.pm Bug 5489: Send hold email to branch email address if it exists instead of koha email address 2010-12-20 10:24:53 +13:00
Review.pm Fix for Bug 4473 - Recent comments view for the OPAC 2010-12-13 09:43:01 +13:00
Ris.pm remove a bunch of unconditional debug warns 2010-07-02 10:57:08 -04:00
RotatingCollections.pm Fix some compile time errors reported in test suite 2010-12-02 08:53:53 +13:00
Scheduler.pm POD Cleanups 2010-06-09 08:38:59 -04:00
Scrubber.pm Bug 5611: Simple typo fix in the comments 2011-01-13 08:17:27 +13:00
Search.pm Bug 2341: items marked 'on order' not reserveable from search results 2011-02-03 22:00:01 +13:00
Serials.pm Bug 5026 Undefined dates formatted poorly in serials-edit 2011-01-17 21:22:14 +13:00
Service.pm POD Cleanups 2010-06-09 08:38:59 -04:00
ShelfBrowser.pm Bug 5551 - allow shelf browser filters to be changed 2011-01-21 11:08:42 +13:00
SMS.pm More POD cleanups 2010-06-09 08:38:58 -04:00
SQLHelper.pm POD Cleanups 2010-06-09 08:38:59 -04:00
Stats.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Suggestions.pm Bug 5589: Remove duplicated Exports in Suggestions.pm 2011-01-10 09:00:34 +13:00
Tags.pm More POD cleanups 2010-06-09 08:38:58 -04:00
UploadedFile.pm replace references to defunct info email address 2010-06-25 05:18:44 -04:00
Utils.pm
VirtualShelves.pm Fix for Bug 3347 - Inconsistencies with tables in opac-shelves.tmpl 2011-01-06 08:40:49 +13:00
XISBN.pm Fix for Bug 5570 - item types not showing on other editions 2011-01-07 14:18:09 +13:00
XSLT.pm Bug 5727 Warning in log due to XSLT.pm 2011-02-14 09:46:20 +13:00
Z3950.pm fixing various links to point to *.koha-community.org 2010-10-21 22:08:24 -04:00