From a1e0768ceb728f0019086050837884d29e498dfe Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 19 Jun 2015 10:12:45 +0200 Subject: [PATCH] Bug 14408 Path traversal vulnerability /cgi-bin/koha/svc/virtualshelves/search /cgi-bin/koha/svc/members/search Are vulnerable To test: 1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt Notice you get a valid JSON response 2/ Hit /search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd (You may have add more ..%2f or remove them to get the correct path) Notice you can see the contents of the /etc/passwd file 3/ Hit /cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd 4/ Apply patch 5/ Hit the first url again, notice it still works 6/ Hit the second url notice it now errors with a file not found 7/ Hit the third url notice it now errors with a file not found Repeat for the other script also Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall --- C4/Auth.pm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index 06525c135b..a2aa8aa132 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -157,6 +157,10 @@ sub get_template_and_user { C4::Context->interface( $in->{type} ); + # Sanitize template path to avoid path traversal + $in->{template_name} =~ s|^/||; + $in->{template_name} =~ s|\.\.||g; + $in->{'authnotrequired'} ||= 0; my $template = C4::Templates::gettemplate( $in->{'template_name'}, -- 2.39.5