From 7c6ec195181b5cea3f108285f16afb1cd1654783 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 19 Jun 2015 10:12:45 +0200 Subject: [PATCH] Bug 14408 Path traversal vulnerability /cgi-bin/koha/svc/virtualshelves/search /cgi-bin/koha/svc/members/search Are vulnerable To test: 1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt Notice you get a valid JSON response 2/ Hit /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd (You may have add more ..%2f or remove them to get the correct path) Notice you can see the contents of the /etc/passwd file 3/ Hit /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 4/ Apply patch 5/ Hit the first url again, notice it still works 6/ Hit the second url notice it now errors with a file not found 7/ Hit the third url notice it now errors with a file not found Repeat for the other script also Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall Signed-off-by: Mason James (cherry picked from commit 0b7647eff31c85d8f7e1e5a50fd82d3b94eec816) Signed-off-by: Fridolin Somers Conflicts: C4/Auth.pm --- C4/Auth.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index 164092d01e..59d1e31d60 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -139,6 +139,10 @@ sub get_template_and_user { my $in = shift; my ( $user, $cookie, $sessionID, $flags ); + # Sanitize template path to avoid path traversal + $in->{template_name} =~ s|^/||; + $in->{template_name} =~ s|\.\.||g; + $in->{'authnotrequired'} ||= 0; my $template = C4::Templates::gettemplate( $in->{'template_name'}, -- 2.39.5