[Koha-devel] security question about injection in Zebra

Fridolyn SOMERS fridolyn.somers at gmail.com
Fri Jul 8 09:42:55 CEST 2011 

Hie,

A just question indeed.

About :  - if one contains a double-quote escape in done (and could result
invalid query)
You should open a bug.
I think replacing double-quotes with a space should work, double quotes are
considered by Zebra like a space between 2 words.

Needs more investigation.

Regards,

2011/6/30 Frère Sébastien <sebastien.marie at latrappe.fr>

> Hi,
>
> Seeing the patch proposed by Marcel de Rooy for bug 6536, a question
> arrived in my mind about injection of code in Zebra.
>
> Does someone is aware about something like that ?
>
> Next an extract of patch (and after my comments):
>
> On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
> > Z3950 Enhancements: SRU search targets, MARC conversion and additional
> XSLT processing
> >
> > diff --git a/C4/Breeding.pm b/C4/Breeding.pm
> > index 9003f9a..cb04e14 100644
> > --- a/C4/Breeding.pm
> > +++ b/C4/Breeding.pm
>
> [...]
>
> > +sub build_query {
> > +  my $nterms=0;
> > +  my $title         = $input->param('title')||'';
> > +  my $author        = $input->param('author')||'';
> > +  my $isbn          = $input->param('isbn')||'';
> > +  my $lccall        = $input->param('lccall')||'';
> > +  my $subject       = $input->param('subject')||'';
> > +  my $dewey         = $input->param('dewey')||'';
> > +  my $controlnumber = $input->param('controlnumber')||'';
> > +  my $stdid         = $input->param('stdid')||'';
> > +  my $srchany       = $input->param('srchany')||'';
> > +
> > +  if ($isbn) {
> > +        $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" ";
> > +     $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and ";
> > +        $nterms++;
> > +  }
> > +  if ($title) {
> > +        utf8::decode($title);
> > +        $zquery .= "\@attr 1=4 \"$title\" ";
> > +     $squery .= "[title]=\"$title\" and ";
> > +        $nterms++;
> > +  }
>
> [...]
>
>
> First, some notes about code:
>  - alls variables seems to come from userdata (input query), so are user
> controlled.
>  - if one contains a double-quote escape in done (and could result invalid
> query)
>
>
> About zebra possible exploits (untested):
>  - yaz-client (Z39.50 client) permit bang pattern for shell invocation,
> does the library too ?
>  - does zebra permit anonymous index write ? (resulting index corruption,
> possible affection of koha for places where data are read from zebra, and
> use 'as-it')
>  - or connection to another server ? (could expose local network area)
>  - ...
>
> If someone have other ideas...
>
>
> If zebra library permit use of placeholders, we should use them. Else
> perhaps develop a small function for variable escapment before inclusion in
> zebra query.
>
> Thanks.
> --
> Frère Sébastien Marie
> Abbaye Notre Dame de La Trappe
> 61380 Soligny-la-Trappe
> Tél: 02.33.84.17.00
> Fax: 02.33.34.98.57
> Web: http://www.latrappe.fr/
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : http://www.koha-community.org/
> git : http://git.koha-community.org/
> bugs : http://bugs.koha-community.org/
>



-- 
Fridolyn SOMERS
ICT engineer
PROGILONE - Lyon - France
fridolyn.somers at gmail.com
-------------- section suivante --------------
Une pi?ce jointe HTML a ?t? nettoy?e...
URL: </pipermail/koha-devel/attachments/20110708/23a7846b/attachment.htm>

More information about the Koha-devel mailing list