[Bug 3280] New: opac/opac-sendbasket.pl security leaky
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Summary: opac/opac-sendbasket.pl security leaky Product: Koha Version: HEAD Platform: Other OS/Version: Linux - Debian Status: NEW Severity: normal Priority: P3 Component: OPAC AssignedTo: jmf@liblime.com ReportedBy: dbavousett@ptfs.com Estimated Hours: 0.0 Change sponsored?: --- It is possible for a clever user who has access to the source to spot that opac-sendbasket.pl has a security leak, and use a Koha server as a spam relay. opac-sendbasket.pl uses CGI's param() method to fetch in parameters. This functions fine, but it doesn't *care* if the parameters come in via GET or POST methods. Thus, you can: http://server/cgi-bin/koha/opac-sendbasket. pl?&email_add=user@domain.com&comment=”blahblahblah” This will send a message with the cart header as defined elsewhere, plus the comments from the "comment" param, to user@domain.com. A moderately-clever geek could easily work out a script to use this as a spamming tool. My suggestion would be to either use CGI_Lite, which allows for control over passing method, or manually fetching in the parameters "the hard way", which would allow you to explicitly disallow GET params in (at a minimum) email_add and comment. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 --- Comment #1 from J. David Bavousett <dbavousett@ptfs.com> 2009-06-01 18:46:22 --- Another part of this, I suppose, is that it doesn't seem check for an empty cart (variable bib_list?). Doing that would also tighten up the security of this script, I suspect, and would make it a bit more user-friendly. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Jane Wagner <jwagner@ptfs.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jwagner@ptfs.com -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |chris@bigballofwax.co.nz --- Comment #2 from Chris Cormack <chris@bigballofwax.co.nz> 2009-06-01 19:33:03 --- Yeah, disallowing GET, would mean they would SPAM through POST instead. Spammers are nothing if not persistent. Checking for a non empty cart seems like a good way to go. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Joe Atzberger <joe.atzberger@liblime.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |joe.atzberger@liblime.com --- Comment #3 from Joe Atzberger <joe.atzberger@liblime.com> 2009-06-01 20:31:53 --- Might be good to insert, "this request came from IP: $ENV{REMOTE_ADDR}". Doesn't prevent the problem, but may help ID your culprit if spamming occurs. Other possibilities: ~ require user to be logged in to send cart, then send only to (one of) their registered addresses, using message queue (true prevention, with part of the feature sacrificed) ~ build internal tracking of messages sent with thresholds considered "abusive" (damage limitation) ~ take the address in a separate request from the "send" confirmation, either retaining it on the server side or passing it back and forth in an encrypted form (problem obfuscation -- not truly more secure, but more difficult to exploit) -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Dianne Hall <dhall@ebpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dhall@ebpl.org -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280 Nicole C. Engard <nengard@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|jmf@liblime.com |gmcharlt@gmail.com -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (2)
-
bugzilla-daemon@kohaorg.ec2.liblime.com -
bugzilla-daemon@liblime.com