[Koha-bugs] [Bug 8171] New: Improper escaping of quotes during z39.50 queries leads to potential malicious code execution
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu May 31 20:18:49 CEST 2012
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8171
Priority: P5 - low
Change sponsored?: ---
Bug ID: 8171
Assignee: gmcharlt at gmail.com
Summary: Improper escaping of quotes during z39.50 queries
leads to potential malicious code execution
Severity: normal
Classification: Unclassified
OS: Linux
Reporter: bhurley at aihs.org
Hardware: PC
Status: NEW
Version: rel_3_8
Component: Z39.50 / SRU / OpenSearch Servers
Product: Koha
When using Koha v. 3.8 for z39.50 based copy cataloging, if the title being
searched for contains quotes, then everything after the first set of quotation
marks is not transferred to the z39.50 search. For example the title The Irish
"Americans" only shows up as The Irish in the z39.50 search pop up window. My
understanding is that improper escaping of quotes can cause sql injection
attacks, although this would require the malicious coder to be in the staff
area (intranet) to conduct such an attack. It also leads to incorrect z39.50
search results, if one is unaware of the problem.
I believe the problem is in the C4::Z3950 perl module. The $term variable
doesn't ignore the quotes which may legitimately be in the string. I believe
the error is on line 228 of the c4::Z3950 module, my version (3.8) of which
reads
228 $sth=$dbh->prepare("insert into z3950queue (term,type,servers, identifier)
values (?, ?, ?, ?)");
I think it should read
228 $sth=$dbh->prepare("insert into z3950queue (q{term},type,servers,
identifier) values (?, ?, ?, ?)");
If there is anything I can do to further this process, or if you believe my
report is in error, please let me know. Keep up the good work.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list