[Koha-devel] security question about injection in Zebra
Frère Sébastien Marie
sebastien.marie at latrappe.fr
Thu Jun 30 19:53:07 CEST 2011
Hi,
Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra.
Does someone is aware about something like that ?
Next an extract of patch (and after my comments):
On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
> Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
>
> diff --git a/C4/Breeding.pm b/C4/Breeding.pm
> index 9003f9a..cb04e14 100644
> --- a/C4/Breeding.pm
> +++ b/C4/Breeding.pm
[...]
> +sub build_query {
> + my $nterms=0;
> + my $title = $input->param('title')||'';
> + my $author = $input->param('author')||'';
> + my $isbn = $input->param('isbn')||'';
> + my $lccall = $input->param('lccall')||'';
> + my $subject = $input->param('subject')||'';
> + my $dewey = $input->param('dewey')||'';
> + my $controlnumber = $input->param('controlnumber')||'';
> + my $stdid = $input->param('stdid')||'';
> + my $srchany = $input->param('srchany')||'';
> +
> + if ($isbn) {
> + $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" ";
> + $squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and ";
> + $nterms++;
> + }
> + if ($title) {
> + utf8::decode($title);
> + $zquery .= "\@attr 1=4 \"$title\" ";
> + $squery .= "[title]=\"$title\" and ";
> + $nterms++;
> + }
[...]
First, some notes about code:
- alls variables seems to come from userdata (input query), so are user controlled.
- if one contains a double-quote escape in done (and could result invalid query)
About zebra possible exploits (untested):
- yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ?
- does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it')
- or connection to another server ? (could expose local network area)
- ...
If someone have other ideas...
If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query.
Thanks.
--
Frère Sébastien Marie
Abbaye Notre Dame de La Trappe
61380 Soligny-la-Trappe
Tél: 02.33.84.17.00
Fax: 02.33.34.98.57
Web: http://www.latrappe.fr/
More information about the Koha-devel
mailing list