[Koha-bugs] [Bug 6629] New: [security] insecure use of Cookie for language selection

Mon Jul 25 11:59:20 CEST 2011

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629

             Bug #: 6629
           Summary: [security] insecure use of Cookie for language
                    selection
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: critical
          Priority: P5
         Component: Architecture, internals, and plumbing
        AssignedTo: gmcharlt at gmail.com
        ReportedBy: semarie-koha at latrappe.fr
         QAContact: koha-bugs at lists.koha-community.org

CWE-73: External Control of File Name or Path (see
http://cwe.mitre.org/data/definitions/73.html)

In C4/Templates.pm, in the function themelanguage, the user language is obtain
from a cookie 'KohaOpacLanguage', and use 'as-it' in the path's construction
for the template filename.

In the next piece of code, $la is 'KohaOpacLanguage' cookie value:

> # searches through the themes and languages. First template it find it returns.
> # Priority is for getting the theme right.
>  THEME:
>    foreach my $th (@themes) {
>        foreach my $la (@languages) {
>            if ( -e "$htdocs/$th/$la/modules/$tmpl" ) {
>                $theme = $th;
>                $lang  = $la;
>                last THEME;
>            }
>            last unless $la =~ /[-_]/;
>        }
>    }

In opac/opac-main.pl, same: if cookie 'KohaOpacLanguage' exists, it used. Here,
the page also used HTTP_ACCEPT_LANGUAGE sanitized with regex.

In koha/installer/install.pl and koha/installer/InstallAuth.pm the cookie is
also used (but need verification if it used in manner that permit exploit).

As the cookie could be forged (user input), and contains any characters, it
could embed '../' for path-traversable.

The exploitation of this problem is mitigated by the fact that the perl
function '-e' seems to be resultant to '\0' inclusion (in order to strip all
strings after the variable).

Suggestions:
 - A regex sanitization should be used, or, should used
C4::Output::getlanguagecookie function, which take only the first two
characters (I will prefer a regex like /^[a-zA-Z]*$/ )

 - An unified method should be used: a function somewhere (C4:Templates ?) that
return a list of possible languages:
   - first element: cookie value sanitized (if exist)
   - next sanitized list of ENV{HTTP_ACCEPT_LANGUAGE}
   - next 'en'

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.