[Bug 6628] New: [security] help system use insecure REFERRER for file inclusion
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Bug #: 6628 Summary: [security] help system use insecure REFERRER for file inclusion Classification: Unclassified Change sponsored?: --- Product: Koha Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P5 Component: Architecture, internals, and plumbing AssignedTo: gmcharlt@gmail.com ReportedBy: semarie-koha@latrappe.fr QAContact: koha-bugs@lists.koha-community.org The 'help.pl' use REFERRER HTTP-Header for determine which template should be displayed to user. This HTTP-Header could be forged by user. CWE-73: External Control of File Name or Path (see http://cwe.mitre.org/data/definitions/73.html) The template name is extracted from REFERRER which regex:
our $refer = $query->referer(); $refer =~ /koha\/(.*)\.pl/; my $from = "modules/help/$1.tt";
So it is possible to have a referer like: http://xxx/koha/EVIL-THING.plxxx and $from should be egal to "modules/help/EVIL-THING.tt" Some suggestions: - It should be better to have a better regex for extract the help template: like only allow a-zA-Z, '-' and '/' (not including '.' [for ".."], but including '/' for help templates like "members/boraccount.tt") - It will be better to rename all help templates from: "members/boraccount.tt" to "members-boraccount.tt", in order to remove need of '/' in regex. And all '/' in value taken from referer must be remplaced by '-'. ('-' in path is less worst than '/'). -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Frère Sébastien Marie <semarie-koha@latrappe.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |critical -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #1 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 18:42:16 UTC --- Created attachment 6413 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6413 Bug 6628 : Stopping a potential vulnerability -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - low |PATCH-Sent CC| |chris@bigballofwax.co.nz Patch Status|--- |Needs Signoff -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #2 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-25 18:46:47 UTC --- Please test You can test by fudging the referrer, or by passing a url=bogus value http://localhost:8080/cgi-bin/koha/help.pl?url=koha/../../../../../../etc/pa... -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Robin Sheat <robin@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |robin@catalyst.net.nz -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #3 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-26 09:12:09 UTC --- The regexp isn't correct, as it disallow numbers in filename, like these: acqui/z3950_search admin/z3950servers admin/koha2marclinks So we should use: s/[^a-zA-Z0-9_\-\/]//g Else, works well. Thanks. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Frère Sébastien Marie <semarie-koha@latrappe.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6413|0 |1 is obsolete| | --- Comment #4 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-26 09:32:38 UTC --- Created attachment 6417 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6417 Bug 6628 : Stopping a potential vulnerability Here a proposed replacement: - using regex including 0-9 - remove trailing whitespace -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #6417|0 |1 is obsolete| | --- Comment #5 from Katrin Fischer <katrin.fischer@bsz-bw.de> 2011-11-28 07:40:49 UTC --- Created attachment 6440 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6440 [SIGNED-OFF] Bug 6628 : Stopping a potential vulnerability Signed-off-by: Frère Sébastien Marie <semarie-koha@latrappe.fr> Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> - verified help pages still work - verified /cgi-bin/koha/help.pl?url=koha/../catalogue/advsearch.pl does not show the template file (did work on master, not after applying patch) - verified cgi-bin/koha/help.pl?url=koha/../../../../../../etc/passwd%00.pl does not work (didn't work on master or after applying patch) -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Patch Status|Needs Signoff |Signed Off -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |paul.poulain@biblibre.com Version|unspecified |rel_3_6 Patch Status|Signed Off |Patch Pushed AssignedTo|gmcharlt@gmail.com |chris@bigballofwax.co.nz Severity|critical |normal --- Comment #6 from Paul Poulain <paul.poulain@biblibre.com> 2011-11-28 09:09:39 UTC --- This vulnerability would allow anyone reading any .tt file on the server. As /etc/password is not ending by .tt, this problem is much less critical than the 6629 one ! That's why, Katrin, you didn't see any difference before and after applying the patch. The fix is usefull though, as it's a vulnerability, so it's pushed. Patch pushed, please test -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #7 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-28 09:40:47 UTC --- (In reply to comment #6)
This vulnerability would allow anyone reading any .tt file on the server. As /etc/password is not ending by .tt, this problem is much less critical than the 6629 one !
Paul, here I disagree with you :-) Under 3.4.x (sorry, no master deployed for test), I could successfully exploit this vulnerability to echo /etc/passwd. The ".tt" at the end is normally discarded by %00 (the meaning is the same that \0 in C-string, it is stand for end-of-string). Katrin, you could try to add more ../ to url (here, we traversal should go back from "$htdocs/$theme/$lang/modules/help/", and depending where is located $htdocs, there are a couple of parent before the root's filesystem). My test against 3.4.x: /cgi-bin/koha/help.pl?url=koha/../../../../../../../../../../../etc/passwd%00.pl -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #8 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-28 09:48:00 UTC --- oh, and more important: the patch successfully stop the vulnerability ! -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Paul Poulain <paul.poulain@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |critical --- Comment #9 from Paul Poulain <paul.poulain@biblibre.com> 2011-11-28 09:51:00 UTC --- Youre Right Frère Sébastien-Marie !!! So, chris_n, it's a new security issue that must be fixed as well ! -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #10 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-28 10:00:11 UTC --- The patch will apply for 3.4.x as well. Please cherry pick, I will do one for 3.2.x for people who want to patch their systems. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #11 from Chris Cormack <chris@bigballofwax.co.nz> 2011-11-28 10:15:20 UTC --- Created attachment 6443 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6443 [3.2.x] Bug 6628 fixing security vulnerability -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 --- Comment #12 from Frère Sébastien Marie <semarie-koha@latrappe.fr> 2011-11-28 10:32:32 UTC --- Created attachment 6444 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=6444 [3.4.x] Bug 6628 fixing security vulnerability The patch correct also two invalid calls to themelanguage: tests are not possible else (Undefined subroutine &main::themelanguage) -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628 Jared Camins-Esakov <jcamins@cpbibliography.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable --- Comment #13 from Jared Camins-Esakov <jcamins@cpbibliography.com> --- This fix was included in the 3.6.x branch prior to 3.6.4. -- You are receiving this mail because: You are the QA Contact for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org