[koha-commits] main Koha release repository branch, master, updated. v3.02.00-712-gb0f6022

Git repo owner gitmaster at git.koha-community.org
Thu Feb 24 19:08:59 CET 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".

The branch, master has been updated
       via  b0f60221f41041665c4fecacce35654fc8d45a01 (commit)
      from  2a3f7c141798121a75fc9ee670af0fdde431d9c2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b0f60221f41041665c4fecacce35654fc8d45a01
Author: Chris Nighswonger <cnighswonger at foundations.edu>
Date:   Thu Feb 24 09:57:11 2011 -0500

    Security Bugfix: Bug 1953 Adding Placeholders to SQL To Avoid Potential Injection Attacks
    
    This patch addresses both security issues mentioned in the summary of the report
    submitted by Frère Sébastien Marie included below.
    
    ---------------------------
    The problem is here: 'C4/AuthoritiesMarc.pm' in the function 'DelAuthority':
    The argument $authid is included directly (not via statement) in the SQL.
    
    For the exploit of this problem, you can use 'authorities/authorities-home.pl'
    with authid on the URL and op=delete (something like
    "authorities/authorities-home.pl?op=delete&authid=xxx").
    
    This should successfully call DelAuthority, without authentification...
    (DelAuthority is call BEFORE get_template_and_user, so before authentification
    [This should be an issue also...]).
    
    Please note that the problem isn't only that anyone can delete an authority of
    this choose, it is more general: with "authid=1%20or%1=1" (after inclusion sql
    will be like: "delete from auth_header where authid=1 or 1=1") you delete all
    authorities ; with "authid=1;delete%20from%xxx" it is "delete from auth_header
    where authid=1;delete from xxx" and so delete what you want...
    
    SQL-INJECTION is very permissive: you can redirect the output in a file (with
    some MySQL function), so write thea file of you choose in the server, in order
    to create a backdoor, and compromise the server.
    
    Signed-off-by: Frère Sébastien Marie <semarie-koha at latrappe.fr>
    Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>

-----------------------------------------------------------------------

Summary of changes:
 C4/AuthoritiesMarc.pm           |    4 ++--
 authorities/authorities-home.pl |    5 +----
 2 files changed, 3 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
main Koha release repository

More information about the koha-commits mailing list