[Koha-bugs] [Bug 3280] New: opac/opac-sendbasket.pl security leaky
bugzilla-daemon at liblime.com
bugzilla-daemon at liblime.com
Mon Jun 1 20:42:11 CEST 2009
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280
Summary: opac/opac-sendbasket.pl security leaky
Product: Koha
Version: HEAD
Platform: Other
OS/Version: Linux - Debian
Status: NEW
Severity: normal
Priority: P3
Component: OPAC
AssignedTo: jmf at liblime.com
ReportedBy: dbavousett at ptfs.com
Estimated Hours: 0.0
Change sponsored?: ---
It is possible for a clever user who has access to the source to spot that
opac-sendbasket.pl has a security leak, and use a Koha server as a spam relay.
opac-sendbasket.pl uses CGI's param() method to fetch in parameters. This
functions fine, but it doesn't *care* if the parameters come in via GET or POST
methods. Thus, you can:
http://server/cgi-bin/koha/opac-sendbasket.
pl?&email_add=user at domain.com&comment=”blahblahblah”
This will send a message with the cart header as defined elsewhere, plus the
comments from the "comment" param, to user at domain.com. A moderately-clever
geek could easily work out a script to use this as a spamming tool.
My suggestion would be to either use CGI_Lite, which allows for control over
passing method, or manually fetching in the parameters "the hard way", which
would allow you to explicitly disallow GET params in (at a minimum) email_add
and comment.
--
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list