Fwd: Critical security bug in Koha!
Je vous fais suivre ce mail de joubu, si qqn peut se pencher dessus et contribuer à le résoudre... (me tenir au courant svp) A+ -------- Message transféré -------- Sujet : Critical security bug in Koha! Date : Wed, 1 Sep 2021 11:34:23 +0200 De : Jonathan Druart <jonathan.druart@gmail.com> Pour : Martin Renvoize <martin.renvoize@ptfs-europe.com>, Paul Poulain <paul.poulain@biblibre.com>, Nick Clemens <nick@bywatersolutions.com>, Tomas Cohen Arazi <tomascohen@gmail.com>, David Cook <dcook@prosentient.com.au>, Philippe Blouin <philippe.blouin@inlibro.com>, Marcel de Rooy <M.de.Rooy@rijksmuseum.nl>, Andrii Vashchuk <nugged@gmail.com>, Katrin Fischer <Katrin.Fischer.83@web.de>, Chris Cormack <chris@bigballofwax.co.nz>, Galen Charlton <gmcharlt@gmail.com>, Mason James <mtj@kohaaloha.com>, Owen Leonard <oleonard@myacpl.org> Hello everybody, If you get this email I am expecting from you to talk about it to whom could be concerned. Yesterday a bug (28929) was reported about a possible privilege escalation. https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28929 It is confirmed and is highlighly critical in some cases, and stay critical in all other cases. It's really bad. Basically we are missing filtering on patron's data when we create or edit a patron. Which means a user can edit whichever info they want, by modifying the DOM of the page. And, it includes borrowers.flags (that's where it hurts really badly). It impacts both OPAC and Staff interfaces. What you should do: 1. Reduce the risks! * Disable PatronSelfRegistration (!) * Disable AutoApprovePatronProfileSettings (!) or you can totally disable OPACPatronDetails 2. Make sure the staff interface is not accessible to the world 3. Remove old librarian accounts 4. Something else you have in mind? If so, please share! Then you should (or ask your team to) help us. We will need people on the bug to: 1. Write patches and discuss the best approach to fix the different issues (there are patches already) 2. Test! and test! We will have to test on five different versions (master+4 stables)! 3. QA, and *really* review, all the different versions (we really want to prevent a mess publishing a fix that will introduce regressions). We will then need to coordinate. A plan (to discuss) could be: 1. Tell the big actors to be ready for an urgent release (This is the goal of this email!) 2. Make the patches ready for the different versions (see the above) 3. Have all the packages ready, before we communicate publicly (Mason, will you be available?) 4. Tell the people we know to upgrade (so, you, and those who are aware of the problem) 5. Announce publicly What do you think? This info should not be public, but please communicate as much as you can around you (people you trust of course). No need to over communicate either, as we are not ready yet! If you don't have access to the bug, just tell me (or Tomas, Katrin, Martin, Nick, etc.) Cheers, Jonathan -- Paul Poulain, Associé-gérant / co-owner BibLibre, Services en logiciels libres pour les bibliothèques BibLibre, Open Source software and services for libraries
yikes... merde... this emails was intended to be forwarded to BibLibre developers, not to this list :((( Le 02/09/2021 à 14:18, Paul Poulain a écrit :
Je vous fais suivre ce mail de joubu, si qqn peut se pencher dessus et contribuer à le résoudre... (me tenir au courant svp)
A+
-------- Message transféré -------- Sujet : Critical security bug in Koha! Date : Wed, 1 Sep 2021 11:34:23 +0200 De : Jonathan Druart <jonathan.druart@gmail.com> Pour : Martin Renvoize <martin.renvoize@ptfs-europe.com>, Paul Poulain <paul.poulain@biblibre.com>, Nick Clemens <nick@bywatersolutions.com>, Tomas Cohen Arazi <tomascohen@gmail.com>, David Cook <dcook@prosentient.com.au>, Philippe Blouin <philippe.blouin@inlibro.com>, Marcel de Rooy <M.de.Rooy@rijksmuseum.nl>, Andrii Vashchuk <nugged@gmail.com>, Katrin Fischer <Katrin.Fischer.83@web.de>, Chris Cormack <chris@bigballofwax.co.nz>, Galen Charlton <gmcharlt@gmail.com>, Mason James <mtj@kohaaloha.com>, Owen Leonard <oleonard@myacpl.org>
Hello everybody,
If you get this email I am expecting from you to talk about it to whom could be concerned.
Yesterday a bug (28929) was reported about a possible privilege escalation. https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28929 It is confirmed and is highlighly critical in some cases, and stay critical in all other cases. It's really bad. Basically we are missing filtering on patron's data when we create or edit a patron. Which means a user can edit whichever info they want, by modifying the DOM of the page. And, it includes borrowers.flags (that's where it hurts really badly).
It impacts both OPAC and Staff interfaces.
What you should do: 1. Reduce the risks! * Disable PatronSelfRegistration (!) * Disable AutoApprovePatronProfileSettings (!) or you can totally disable OPACPatronDetails 2. Make sure the staff interface is not accessible to the world 3. Remove old librarian accounts 4. Something else you have in mind? If so, please share!
Then you should (or ask your team to) help us. We will need people on the bug to: 1. Write patches and discuss the best approach to fix the different issues (there are patches already) 2. Test! and test! We will have to test on five different versions (master+4 stables)! 3. QA, and *really* review, all the different versions (we really want to prevent a mess publishing a fix that will introduce regressions).
We will then need to coordinate. A plan (to discuss) could be: 1. Tell the big actors to be ready for an urgent release (This is the goal of this email!) 2. Make the patches ready for the different versions (see the above) 3. Have all the packages ready, before we communicate publicly (Mason, will you be available?) 4. Tell the people we know to upgrade (so, you, and those who are aware of the problem) 5. Announce publicly
What do you think?
This info should not be public, but please communicate as much as you can around you (people you trust of course). No need to over communicate either, as we are not ready yet!
If you don't have access to the bug, just tell me (or Tomas, Katrin, Martin, Nick, etc.)
Cheers, Jonathan -- Paul Poulain, Associé-gérant / co-owner BibLibre, Services en logiciels libres pour les bibliothèques BibLibre, Open Source software and services for libraries
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
-- Paul Poulain, Associé-gérant / co-owner BibLibre, Services en logiciels libres pour les bibliothèques BibLibre, Open Source software and services for libraries
participants (1)
-
Paul Poulain