From f21934e03dac776f12ff598b70152f20be98914c Mon Sep 17 00:00:00 2001 From: Chris Cormack Date: Fri, 19 Jun 2015 08:35:07 +1200 Subject: [PATCH] Bug 14412 : SQL injection possible There is a SQL Injection vulnerability in the /cgi-bin/koha/opac-tags_subject.pl script. By manipulating the variable 'number', the database can be accessed via time-based blind injections. The following string serves as an example: /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1) To exploit the vulnerability, no authentication is needed To test 1/ Turn on mysql query logging 2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1) 3/ Check the logs notice something like SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1 PROCEDURE ANALYSE (EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1) 4/ Apply patch 5/ Hit the url again 6/ Notice the log now only has SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1 Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Confirmed the problem and the fix for it. Signed-off-by: Mason James --- opac/opac-tags_subject.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/opac/opac-tags_subject.pl b/opac/opac-tags_subject.pl index a19f406db9..1859cab037 100755 --- a/opac/opac-tags_subject.pl +++ b/opac/opac-tags_subject.pl @@ -51,8 +51,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( my $number = $query->param('number') || 100; -my $sth = $dbh->prepare("SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT $number"); -$sth->execute; +my $sth = $dbh->prepare("SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT ?"); +$sth->execute($number); my %result; my $max=0; -- 2.39.5