]> git.koha-community.org Git - koha.git/commit
Bug 14412: SQL injection possible
authorChris Cormack <chrisc@catalyst.net.nz>
Thu, 18 Jun 2015 20:35:07 +0000 (08:35 +1200)
committerFridolin Somers <fridolin.somers@biblibre.com>
Tue, 23 Jun 2015 09:28:25 +0000 (11:28 +0200)
commit3e6ad12ee87e8905f042091ae5d324524412f5d0
treea8f7f04b01528898d5d14dadd5b34b9776e5a341
parent4631b30b2fa4d379a09db4b7822753ade29b6df8
Bug 14412: SQL injection possible

There is a SQL Injection vulnerability in the
/cgi-bin/koha/opac-tags_subject.pl script.

By manipulating the variable 'number', the database can be accessed
via time-based blind injections.

The following string serves as an example:

/cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)

To exploit the vulnerability, no authentication is needed

To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
  SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
  PROCEDURE ANALYSE
  (EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
   SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it.
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
(cherry picked from commit 57b01fb655955ac630d6018d03f4d134e7e3e25a)
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
(cherry picked from commit b414b22bf063d58e0e2255a648097cf9111ab445)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
opac/opac-tags_subject.pl