[Koha-bugs] [Bug 6628] New: [security] help system use insecure REFERRER for file inclusion
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jul 25 11:47:21 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628
Bug #: 6628
Summary: [security] help system use insecure REFERRER for file
inclusion
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: gmcharlt at gmail.com
ReportedBy: semarie-koha at latrappe.fr
QAContact: koha-bugs at lists.koha-community.org
The 'help.pl' use REFERRER HTTP-Header for determine which template should be
displayed to user.
This HTTP-Header could be forged by user.
CWE-73: External Control of File Name or Path (see
http://cwe.mitre.org/data/definitions/73.html)
The template name is extracted from REFERRER which regex:
> our $refer = $query->referer();
> $refer =~ /koha\/(.*)\.pl/;
> my $from = "modules/help/$1.tt";
So it is possible to have a referer like: http://xxx/koha/EVIL-THING.plxxx
and $from should be egal to "modules/help/EVIL-THING.tt"
Some suggestions:
- It should be better to have a better regex for extract the help template:
like only allow a-zA-Z, '-' and '/' (not including '.' [for ".."], but
including '/' for help templates like "members/boraccount.tt")
- It will be better to rename all help templates from: "members/boraccount.tt"
to "members-boraccount.tt", in order to remove need of '/' in regex. And all
'/' in value taken from referer must be remplaced by '-'. ('-' in path is less
worst than '/').
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list