-
There is a SQL Injection vulnerability in the /cgi-bin/koha/opac-tags_subject.pl script. By manipulating the variable 'number', the database can be accessed via time-based blind injections. The following string serves as an example: /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1) To exploit the vulnerability, no authentication is needed To test 1/ Turn on mysql query logging 2/ Hit /cgi-bin/koha/opac-tags_subject.pl?number=1+PROCEDURE+ANALYSE+(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1) 3/ Check the logs notice something like SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1 PROCEDURE ANALYSE (EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(5000000,MD5('evil'))))),1) 4/ Apply patch 5/ Hit the url again 6/ Notice the log now only has SELECT entry,weight FROM tags ORDER BY weight DESC LIMIT 1 Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Confirmed the problem and the fix for it. Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
57b01fb6