http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6628
Bug #: 6628
Summary: [security] help system use insecure REFERRER for file
inclusion
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Architecture, internals, and plumbing
AssignedTo: [email protected]
ReportedBy: [email protected]
QAContact: [email protected]
The 'help.pl' use REFERRER HTTP-Header for determine which template should be
displayed to user.
This HTTP-Header could be forged by user.
CWE-73: External Control of File Name or Path (see
http://cwe.mitre.org/data/definitions/73.html)
The template name is extracted from REFERRER which regex:
> our $refer = $query->referer();
> $refer =~ /koha\/(.*)\.pl/;
> my $from = "modules/help/$1.tt";
So it is possible to have a referer like: http://xxx/koha/EVIL-THING.plxxx
and $from should be egal to "modules/help/EVIL-THING.tt"
Some suggestions:
- It should be better to have a better regex for extract the help template:
like only allow a-zA-Z, '-' and '/' (not including '.' [for ".."], but
including '/' for help templates like "members/boraccount.tt")
- It will be better to rename all help templates from: "members/boraccount.tt"
to "members-boraccount.tt", in order to remove need of '/' in regex. And all
'/' in value taken from referer must be remplaced by '-'. ('-' in path is less
worst than '/').
--
Configure bugmail:
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
