[Koha-devel] security question about injection in Zebra

LAURENT Henri-Damien henridamien.laurent at gmail.com
Fri Jul 8 12:32:24 CEST 2011 

Le 30/06/2011 19:53, Frère Sébastien Marie a écrit :
> Hi,
> 
> Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra.
> 
> Does someone is aware about something like that ?
> 
> Next an extract of patch (and after my comments):
> 
> On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
>> Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
>>
>> diff --git a/C4/Breeding.pm b/C4/Breeding.pm
>> index 9003f9a..cb04e14 100644
>> --- a/C4/Breeding.pm
>> +++ b/C4/Breeding.pm
> 
> [...]
> 
>> +sub build_query {
>> +  my $nterms=0;
>> +  my $title         = $input->param('title')||'';
>> +  my $author        = $input->param('author')||'';
>> +  my $isbn          = $input->param('isbn')||'';
>> +  my $lccall        = $input->param('lccall')||'';
>> +  my $subject       = $input->param('subject')||'';
>> +  my $dewey         = $input->param('dewey')||'';
>> +  my $controlnumber = $input->param('controlnumber')||'';
>> +  my $stdid         = $input->param('stdid')||'';
>> +  my $srchany       = $input->param('srchany')||'';
>> +
>> +  if ($isbn) {
>> +        $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" ";
>> +	$squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and ";
>> +        $nterms++;
>> +  }
>> +  if ($title) {
>> +        utf8::decode($title);
>> +        $zquery .= "\@attr 1=4 \"$title\" ";
>> +	$squery .= "[title]=\"$title\" and ";
>> +        $nterms++;
>> +  }
> 
> [...]
> 
> 
> First, some notes about code:
>  - alls variables seems to come from userdata (input query), so are user controlled.
>  - if one contains a double-quote escape in done (and could result invalid query)
> 
> 
> About zebra possible exploits (untested):
>  - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ?
mmm nice question But I don't think so

>  - does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it')
No. zebra default configuration in koha only allows anonymous READ access.
And every read/write is subject to authentication.

>  - or connection to another server ? (could expose local network area)
default zebra configuration in koha is only on unix socket and not even
exposing zebra server to outer internet space.

> If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query.
It is not a feature that I am aware of.
But it uses ZOOM::RPN Queries and Koha is forging that.
> 
> Thanks.

-- 
Henri-Damien LAURENT
BibLibre

More information about the Koha-devel mailing list