]> git.koha-community.org Git - koha.git/commit
Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection...
authorChris Nighswonger <cnighswonger@foundations.edu>
Thu, 24 Feb 2011 14:57:11 +0000 (09:57 -0500)
committerChris Nighswonger <chris.nighswonger@gmail.com>
Thu, 24 Feb 2011 18:36:36 +0000 (13:36 -0500)
commitbc60c233601e34a75545ac5767a6a486d8c2c348
treed0eb4e58bd09600e92bf04fe895ec69f5767f2eb
parent348546aef192beb8aea09dd7bda60debfe7e1b5f
Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks

This patch addresses both security issues mentioned in the summary of the report
submitted by Frère Sébastien Marie included below.

---------------------------
The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
The argument $authid is included directly (not via statement) in the SQL.

For the exploit of this problem, you can use 'authorities/authorities-home.pl'
with authid on the URL and op=delete (something like
"authorities/authorities-home.pl?op=delete&authid=xxx").

This should successfully call DelAuthority, without authentification...
(DelAuthority is call BEFORE get_template_and_user, so before authentification
[This should be an issue also...]).

Please note that the problem isn't only that anyone can delete an authority of
this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
will be like: "delete from auth_header where authid=1 or 1=1") you delete all
authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
where authid=1;delete from xxx" and so delete what you want...

SQL-INJECTION is very permissive: you can redirect the output in a file (with
some MySQL function), so write thea file of you choose in the server, in order
to create a backdoor, and compromise the server.

Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit b0f60221f41041665c4fecacce35654fc8d45a01)

Signed-off-by: Chris Nighswonger <chris.nighswonger@gmail.com>
C4/AuthoritiesMarc.pm
authorities/authorities-home.pl