[Koha-devel] security question about injection in Zebra
LAURENT Henri-Damien
henridamien.laurent at gmail.com
Fri Jul 8 12:32:24 CEST 2011
Le 30/06/2011 19:53, Frère Sébastien Marie a écrit :
> Hi,
>
> Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra.
>
> Does someone is aware about something like that ?
>
> Next an extract of patch (and after my comments):
>
> On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
>> Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
>>
>> diff --git a/C4/Breeding.pm b/C4/Breeding.pm
>> index 9003f9a..cb04e14 100644
>> --- a/C4/Breeding.pm
>> +++ b/C4/Breeding.pm
>
> [...]
>
>> +sub build_query {
>> + my $nterms=0;
>> + my $title = $input->param('title')||'';
>> + my $author = $input->param('author')||'';
>> + my $isbn = $input->param('isbn')||'';
>> + my $lccall = $input->param('lccall')||'';
>> + my $subject = $input->param('subject')||'';
>> + my $dewey = $input->param('dewey')||'';
>> + my $controlnumber = $input->param('controlnumber')||'';
>> + my $stdid = $input->param('stdid')||'';
>> + my $srchany = $input->param('srchany')||'';
>> +
>> + if ($isbn) {
>> + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" ";
>> + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and ";
>> + $nterms++;
>> + }
>> + if ($title) {
>> + utf8::decode($title);
>> + $zquery .= "\@attr 1=4 \"$title\" ";
>> + $squery .= "[title]=\"$title\" and ";
>> + $nterms++;
>> + }
>
> [...]
>
>
> First, some notes about code:
> - alls variables seems to come from userdata (input query), so are user controlled.
> - if one contains a double-quote escape in done (and could result invalid query)
>
>
> About zebra possible exploits (untested):
> - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ?
mmm nice question But I don't think so
> - does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it')
No. zebra default configuration in koha only allows anonymous READ access.
And every read/write is subject to authentication.
> - or connection to another server ? (could expose local network area)
default zebra configuration in koha is only on unix socket and not even
exposing zebra server to outer internet space.
> If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query.
It is not a feature that I am aware of.
But it uses ZOOM::RPN Queries and Koha is forging that.
>
> Thanks.
--
Henri-Damien LAURENT
BibLibre
More information about the Koha-devel
mailing list