security question about injection in Zebra
Hi, Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra. Does someone is aware about something like that ? Next an extract of patch (and after my comments): On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
diff --git a/C4/Breeding.pm b/C4/Breeding.pm index 9003f9a..cb04e14 100644 --- a/C4/Breeding.pm +++ b/C4/Breeding.pm
[...]
+sub build_query { + my $nterms=0; + my $title = $input->param('title')||''; + my $author = $input->param('author')||''; + my $isbn = $input->param('isbn')||''; + my $lccall = $input->param('lccall')||''; + my $subject = $input->param('subject')||''; + my $dewey = $input->param('dewey')||''; + my $controlnumber = $input->param('controlnumber')||''; + my $stdid = $input->param('stdid')||''; + my $srchany = $input->param('srchany')||''; + + if ($isbn) { + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" "; + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and "; + $nterms++; + } + if ($title) { + utf8::decode($title); + $zquery .= "\@attr 1=4 \"$title\" "; + $squery .= "[title]=\"$title\" and "; + $nterms++; + }
[...] First, some notes about code: - alls variables seems to come from userdata (input query), so are user controlled. - if one contains a double-quote escape in done (and could result invalid query) About zebra possible exploits (untested): - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ? - does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it') - or connection to another server ? (could expose local network area) - ... If someone have other ideas... If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query. Thanks. -- Frère Sébastien Marie Abbaye Notre Dame de La Trappe 61380 Soligny-la-Trappe Tél: 02.33.84.17.00 Fax: 02.33.34.98.57 Web: http://www.latrappe.fr/
Hie, A just question indeed. About : - if one contains a double-quote escape in done (and could result invalid query) You should open a bug. I think replacing double-quotes with a space should work, double quotes are considered by Zebra like a space between 2 words. Needs more investigation. Regards, 2011/6/30 Frère Sébastien <sebastien.marie@latrappe.fr>
Hi,
Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra.
Does someone is aware about something like that ?
Next an extract of patch (and after my comments):
On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
diff --git a/C4/Breeding.pm b/C4/Breeding.pm index 9003f9a..cb04e14 100644 --- a/C4/Breeding.pm +++ b/C4/Breeding.pm
[...]
+sub build_query { + my $nterms=0; + my $title = $input->param('title')||''; + my $author = $input->param('author')||''; + my $isbn = $input->param('isbn')||''; + my $lccall = $input->param('lccall')||''; + my $subject = $input->param('subject')||''; + my $dewey = $input->param('dewey')||''; + my $controlnumber = $input->param('controlnumber')||''; + my $stdid = $input->param('stdid')||''; + my $srchany = $input->param('srchany')||''; + + if ($isbn) { + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" "; + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and "; + $nterms++; + } + if ($title) { + utf8::decode($title); + $zquery .= "\@attr 1=4 \"$title\" "; + $squery .= "[title]=\"$title\" and "; + $nterms++; + }
[...]
First, some notes about code: - alls variables seems to come from userdata (input query), so are user controlled. - if one contains a double-quote escape in done (and could result invalid query)
About zebra possible exploits (untested): - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ? - does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it') - or connection to another server ? (could expose local network area) - ...
If someone have other ideas...
If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query.
Thanks. -- Frère Sébastien Marie Abbaye Notre Dame de La Trappe 61380 Soligny-la-Trappe Tél: 02.33.84.17.00 Fax: 02.33.34.98.57 Web: http://www.latrappe.fr/ _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
-- Fridolyn SOMERS ICT engineer PROGILONE - Lyon - France fridolyn.somers@gmail.com
Le 30/06/2011 19:53, Frère Sébastien Marie a écrit :
Hi,
Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra.
Does someone is aware about something like that ?
Next an extract of patch (and after my comments):
On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
diff --git a/C4/Breeding.pm b/C4/Breeding.pm index 9003f9a..cb04e14 100644 --- a/C4/Breeding.pm +++ b/C4/Breeding.pm
[...]
+sub build_query { + my $nterms=0; + my $title = $input->param('title')||''; + my $author = $input->param('author')||''; + my $isbn = $input->param('isbn')||''; + my $lccall = $input->param('lccall')||''; + my $subject = $input->param('subject')||''; + my $dewey = $input->param('dewey')||''; + my $controlnumber = $input->param('controlnumber')||''; + my $stdid = $input->param('stdid')||''; + my $srchany = $input->param('srchany')||''; + + if ($isbn) { + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" "; + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and "; + $nterms++; + } + if ($title) { + utf8::decode($title); + $zquery .= "\@attr 1=4 \"$title\" "; + $squery .= "[title]=\"$title\" and "; + $nterms++; + }
[...]
First, some notes about code: - alls variables seems to come from userdata (input query), so are user controlled. - if one contains a double-quote escape in done (and could result invalid query)
About zebra possible exploits (untested): - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ? mmm nice question But I don't think so
- does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it') No. zebra default configuration in koha only allows anonymous READ access. And every read/write is subject to authentication.
- or connection to another server ? (could expose local network area) default zebra configuration in koha is only on unix socket and not even exposing zebra server to outer internet space.
If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query. It is not a feature that I am aware of. But it uses ZOOM::RPN Queries and Koha is forging that.
Thanks.
-- Henri-Damien LAURENT BibLibre
participants (3)
-
Fridolyn SOMERS -
Frère Sébastien Marie -
LAURENT Henri-Damien