[Koha-bugs] [Bug 6628] [security] help system use insecure REFERRER for file inclusion
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Nov 28 10:40:47 CET 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628
--- Comment #7 from Frère Sébastien Marie <semarie-koha at latrappe.fr> 2011-11-28 09:40:47 UTC ---
(In reply to comment #6)
> This vulnerability would allow anyone reading any .tt file on the server. As
> /etc/password is not ending by .tt, this problem is much less critical than the
> 6629 one !
Paul, here I disagree with you :-)
Under 3.4.x (sorry, no master deployed for test), I could successfully exploit
this vulnerability to echo /etc/passwd. The ".tt" at the end is normally
discarded by %00 (the meaning is the same that \0 in C-string, it is stand for
end-of-string).
Katrin, you could try to add more ../ to url (here, we traversal should go back
from "$htdocs/$theme/$lang/modules/help/", and depending where is located
$htdocs, there are a couple of parent before the root's filesystem).
My test against 3.4.x:
/cgi-bin/koha/help.pl?url=koha/../../../../../../../../../../../etc/passwd%00.pl
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list