[Koha-bugs] [Bug 6629] New: [security] insecure use of Cookie for language selection
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jul 25 11:59:20 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629
Bug #: 6629
Summary: [security] insecure use of Cookie for language
selection
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: gmcharlt at gmail.com
ReportedBy: semarie-koha at latrappe.fr
QAContact: koha-bugs at lists.koha-community.org
CWE-73: External Control of File Name or Path (see
http://cwe.mitre.org/data/definitions/73.html)
In C4/Templates.pm, in the function themelanguage, the user language is obtain
from a cookie 'KohaOpacLanguage', and use 'as-it' in the path's construction
for the template filename.
In the next piece of code, $la is 'KohaOpacLanguage' cookie value:
> # searches through the themes and languages. First template it find it returns.
> # Priority is for getting the theme right.
> THEME:
> foreach my $th (@themes) {
> foreach my $la (@languages) {
> if ( -e "$htdocs/$th/$la/modules/$tmpl" ) {
> $theme = $th;
> $lang = $la;
> last THEME;
> }
> last unless $la =~ /[-_]/;
> }
> }
In opac/opac-main.pl, same: if cookie 'KohaOpacLanguage' exists, it used. Here,
the page also used HTTP_ACCEPT_LANGUAGE sanitized with regex.
In koha/installer/install.pl and koha/installer/InstallAuth.pm the cookie is
also used (but need verification if it used in manner that permit exploit).
As the cookie could be forged (user input), and contains any characters, it
could embed '../' for path-traversable.
The exploitation of this problem is mitigated by the fact that the perl
function '-e' seems to be resultant to '\0' inclusion (in order to strip all
strings after the variable).
Suggestions:
- A regex sanitization should be used, or, should used
C4::Output::getlanguagecookie function, which take only the first two
characters (I will prefer a regex like /^[a-zA-Z]*$/ )
- An unified method should be used: a function somewhere (C4:Templates ?) that
return a list of possible languages:
- first element: cookie value sanitized (if exist)
- next sanitized list of ENV{HTTP_ACCEPT_LANGUAGE}
- next 'en'
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list