[Koha-bugs] [Bug 3280] New: opac/opac-sendbasket.pl security leaky

bugzilla-daemon at liblime.com bugzilla-daemon at liblime.com
Mon Jun 1 20:42:11 CEST 2009


http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3280

           Summary: opac/opac-sendbasket.pl security leaky
           Product: Koha
           Version: HEAD
          Platform: Other
        OS/Version: Linux - Debian
            Status: NEW
          Severity: normal
          Priority: P3
         Component: OPAC
        AssignedTo: jmf at liblime.com
        ReportedBy: dbavousett at ptfs.com
   Estimated Hours: 0.0
 Change sponsored?: ---


It is possible for a clever user who has access to the source to spot that
opac-sendbasket.pl has a security leak, and use a Koha server as a spam relay.

opac-sendbasket.pl uses CGI's param() method to fetch in parameters.  This
functions fine, but it doesn't *care* if the parameters come in via GET or POST
methods.  Thus, you can:

http://server/cgi-bin/koha/opac-sendbasket.
pl?&email_add=user at domain.com&comment=”blahblahblah”

This will send a message with the cart header as defined elsewhere, plus the
comments from the "comment" param, to user at domain.com.  A moderately-clever
geek could easily work out a script to use this as a spamming tool.

My suggestion would be to either use CGI_Lite, which allows for control over
passing method, or manually fetching in the parameters "the hard way", which
would allow you to explicitly disallow GET params in (at a minimum) email_add
and comment.


-- 
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the Koha-bugs mailing list