http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Bug #: 6628 Summary: [security] help system use insecure REFERRER for file inclusion Classification: Unclassified Change sponsored?: --- Product: Koha Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: Architecture, internals, and plumbing AssignedTo: gmcharlt@gmail.com ReportedBy: semarie-koha@latrappe.fr QAContact: koha-bugs@lists.koha-community.org The 'help.pl' use REFERRER HTTP-Header for determine which template should be displayed to user. This HTTP-Header could be forged by user. CWE-73: External Control of File Name or Path (see http://cwe.mitre.org/data/definitions/73.html) The template name is extracted from REFERRER which regex:
our $refer = $query->referer(); $refer =~ /koha\/(.*)\.pl/; my $from = "modules/help/$1.tt";
So it is possible to have a referer like: http://xxx/koha/EVIL-THING.plxxx and $from should be egal to "modules/help/EVIL-THING.tt" Some suggestions: - It should be better to have a better regex for extract the help template: like only allow a-zA-Z, '-' and '/' (not including '.' [for ".."], but including '/' for help templates like "members/boraccount.tt") - It will be better to rename all help templates from: "members/boraccount.tt" to "members-boraccount.tt", in order to remove need of '/' in regex. And all '/' in value taken from referer must be remplaced by '-'. ('-' in path is less worst than '/'). -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.