[Koha-devel] security question about injection in Zebra

Frère Sébastien Marie sebastien.marie at latrappe.fr
Thu Jun 30 19:53:07 CEST 2011 

Hi,

Seeing the patch proposed by Marcel de Rooy for bug 6536, a question arrived in my mind about injection of code in Zebra.

Does someone is aware about something like that ?

Next an extract of patch (and after my comments):

On Thu, Jun 30, 2011 at 01:01:01PM +0000, Marcel de Rooy wrote:
> Z3950 Enhancements: SRU search targets, MARC conversion and additional XSLT processing
> 
> diff --git a/C4/Breeding.pm b/C4/Breeding.pm
> index 9003f9a..cb04e14 100644
> --- a/C4/Breeding.pm
> +++ b/C4/Breeding.pm

[...]

> +sub build_query {
> +  my $nterms=0;
> +  my $title         = $input->param('title')||'';
> +  my $author        = $input->param('author')||'';
> +  my $isbn          = $input->param('isbn')||'';
> +  my $lccall        = $input->param('lccall')||'';
> +  my $subject       = $input->param('subject')||'';
> +  my $dewey         = $input->param('dewey')||'';
> +  my $controlnumber = $input->param('controlnumber')||'';
> +  my $stdid         = $input->param('stdid')||'';
> +  my $srchany       = $input->param('srchany')||'';
> +
> +  if ($isbn) {
> +        $zquery = "\@or \@attr 1=8 \"$isbn\" \@attr 1=7 \"$isbn\" ";
> +	$squery = "([isbn]=\"$isbn\" or [issn]=\"$isbn\") and ";
> +        $nterms++;
> +  }
> +  if ($title) {
> +        utf8::decode($title);
> +        $zquery .= "\@attr 1=4 \"$title\" ";
> +	$squery .= "[title]=\"$title\" and ";
> +        $nterms++;
> +  }

[...]


First, some notes about code:
 - alls variables seems to come from userdata (input query), so are user controlled.
 - if one contains a double-quote escape in done (and could result invalid query)


About zebra possible exploits (untested):
 - yaz-client (Z39.50 client) permit bang pattern for shell invocation, does the library too ?
 - does zebra permit anonymous index write ? (resulting index corruption, possible affection of koha for places where data are read from zebra, and use 'as-it')
 - or connection to another server ? (could expose local network area)
 - ...

If someone have other ideas...


If zebra library permit use of placeholders, we should use them. Else perhaps develop a small function for variable escapment before inclusion in zebra query.

Thanks.
-- 
Frère Sébastien Marie
Abbaye Notre Dame de La Trappe
61380 Soligny-la-Trappe
Tél: 02.33.84.17.00
Fax: 02.33.34.98.57
Web: http://www.latrappe.fr/

More information about the Koha-devel mailing list