b0f60221f4
This patch addresses both security issues mentioned in the summary of the report submitted by Frère Sébastien Marie included below. --------------------------- The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority': The argument $authid is included directly (not via statement) in the SQL. For the exploit of this problem, you can use 'authorities/authorities-home.pl' with authid on the URL and op=delete (something like "authorities/authorities-home.pl?op=delete&authid=xxx"). This should successfully call DelAuthority, without authentification... (DelAuthority is call BEFORE get_template_and_user, so before authentification [This should be an issue also...]). Please note that the problem isn't only that anyone can delete an authority of this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql will be like: "delete from auth_header where authid=1 or 1=1") you delete all authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header where authid=1;delete from xxx" and so delete what you want... SQL-INJECTION is very permissive: you can redirect the output in a file (with some MySQL function), so write thea file of you choose in the server, in order to create a backdoor, and compromise the server. Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr> Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> |
||
|---|---|---|
| .. | ||
| auth_finder.pl | ||
| authorities-home.pl | ||
| authorities-list.pl | ||
| authorities.pl | ||
| blinddetail-biblio-search.pl | ||
| detail-biblio-search.pl | ||
| detail.pl | ||