Possible OPAC security pb
Hie, I've just opened http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10590. I've set it to critical because I think it is a security problem existing at OPAC : In opac-topissues the parameter limit is directly added at the end of the SQL query, without testing its value. A user can edit this parameter to add SQL code to query : for example : limit=10;DROP+TABLE+borrowers;. Please have a look and test. Best regards, -- Fridolyn SOMERS Biblibre - Pôle support fridolyn.somers@biblibre.com
Op 15/07/13 12:17, Fridolyn SOMERS schreef:
I've just opened http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10590. I've set it to critical because I think it is a security problem existing at OPAC :
So, on analysis, it is a terribly bad code smell that needs to be fixed, however you're not likely to be in immediate danger unless your mysql server has multiple statement execution turned on[0]. This said, there are two patches there now: Fridolyn's one that filters on input, and my followup that parameterises the SQL to add another layer of defence (also doing queries the way they're supposed to be done.) These are in the process of being tested and QAed now, people are encouraged to apply them as soon as they're in a release (or in git if you run from that) in case there is some vulnerable path to it I haven't thought of. [0] http://dev.mysql.com/doc/refman/5.0/en/c-api-multiple-queries.html -- thanks Galen for bringing that to my attention. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Hi, On Mon, Jul 15, 2013 at 7:20 AM, Robin Sheat <robin@catalyst.net.nz> wrote:
This said, there are two patches there now: Fridolyn's one that filters on input, and my followup that parameterises the SQL to add another layer of defence (also doing queries the way they're supposed to be done.)
These two patches have now been tested and pushed to master [1, 2] [1] http://git.koha-community.org/gitweb/?p=koha.git;a=commit;h=57866d6b67c3f8b2... [2] http://git.koha-community.org/gitweb/?p=koha.git;a=commit;h=89cf013a6fadcb13... Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: gmc@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Thanks everyone. Le 15/07/2013 17:22, Galen Charlton a écrit :
Hi,
On Mon, Jul 15, 2013 at 7:20 AM, Robin Sheat <robin@catalyst.net.nz> wrote:
This said, there are two patches there now: Fridolyn's one that filters on input, and my followup that parameterises the SQL to add another layer of defence (also doing queries the way they're supposed to be done.)
These two patches have now been tested and pushed to master [1, 2]
[1] http://git.koha-community.org/gitweb/?p=koha.git;a=commit;h=57866d6b67c3f8b2... [2] http://git.koha-community.org/gitweb/?p=koha.git;a=commit;h=89cf013a6fadcb13...
Regards,
Galen
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Fridolyn SOMERS Biblibre - Pôle support fridolyn.somers@biblibre.com
participants (3)
-
Fridolyn SOMERS -
Galen Charlton -
Robin Sheat