git.koha-community.org Git - koha.git/commit

]> git.koha-community.org Git - koha.git/commit

projects / koha.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: a1e0768) | patch

author	Chris Cormack <chrisc@catalyst.net.nz>
	Thu, 18 Jun 2015 20:35:07 +0000 (08:35 +1200)
committer	Liz Rea <wizzyrea@gmail.com>
	Sat, 20 Jun 2015 00:44:42 +0000 (12:44 +1200)
commit	0cba81194f86b1b7fbea9d2ab48fe8c995a3c247
tree	9b9dae3f036d14090fb04daafa3e83b0afcfcd51	tree \| snapshot
parent	a1e0768ceb728f0019086050837884d29e498dfe	commit \| diff

Bug 14412 : SQL injection possible

There is a SQL Injection vulnerability in the
/cgi-bin/koha/opac-tags_subject.pl script.

By manipulating the variable 'number', the database can be accessed
via time-based blind injections.

The following string serves as an example:

/cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)

To exploit the vulnerability, no authentication is needed

To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
  SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
  PROCEDURE ANALYSE
  (EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
   SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1

Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed the problem and the fix for it.

Signed-off-by: Liz Rea <wizzyrea@gmail.com>

opac/opac-tags_subject.pl

diff | blob | history

Main Koha release repository