http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13009
Bug ID: 13009 Summary: ImportExportFramework.pm should call system() with an array of params Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: gmcha...@gmail.com Reporter: tomasco...@gmail.com QA Contact: testo...@bugs.koha-community.org It seems we have an attack vector for the shellshock bash vulnerability. I wrote this sample script: #!/usr/bin/perl # file hack.pl use Modern::Perl; use CGI; my $query = new CGI; print $query->header(); system("echo -e 'hola tomas'"); 1; and called it like this: $ curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked' http://koha-dev.biblioadmin/cgi-bin/koha/hack.pl It successfuly created the /tmp/hacked file. This means that any call on system() passing the command and parameters on the same string is parsed by the default /bin/sh and then vulnerable to the bug. The bug isn't exploitable if the system() call looks like this (i.e. no /bin/sh use). system("echo","-e","hola tomas"); The only place we have that usage pattern, is on C4::ImportExportFramework: C4/ImportExportFramework.pm:562: system("cd $tempdir && $cmd -r new.ods ./"); C4/ImportExportFramework.pm:585: system("rm -rf $tempdir"); C4/ImportExportFramework.pm:695: system("rm -rf $tempdir"); C4/ImportExportFramework.pm:734: system("$cmd $filename -d $tempdir"); The vulnerability would difficult to exploit: - It needs unpatched bash - It needs bash as the default /bin/sh - It needs an authenticated user with permissions to edit MARC frameworks. I haven't written a PoC of the exploit that includes authorization requirement, because the bug is pretty straightforward. To put it clear, system("rm -rf $tempdir"); makes the Perl interpreter to call /bin/sh, and it then inherits the CGI params, and then bash is exploited. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/