http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8171
Priority: P5 - low Change sponsored?: --- Bug ID: 8171 Assignee: gmcha...@gmail.com Summary: Improper escaping of quotes during z39.50 queries leads to potential malicious code execution Severity: normal Classification: Unclassified OS: Linux Reporter: bhur...@aihs.org Hardware: PC Status: NEW Version: rel_3_8 Component: Z39.50 / SRU / OpenSearch Servers Product: Koha When using Koha v. 3.8 for z39.50 based copy cataloging, if the title being searched for contains quotes, then everything after the first set of quotation marks is not transferred to the z39.50 search. For example the title The Irish "Americans" only shows up as The Irish in the z39.50 search pop up window. My understanding is that improper escaping of quotes can cause sql injection attacks, although this would require the malicious coder to be in the staff area (intranet) to conduct such an attack. It also leads to incorrect z39.50 search results, if one is unaware of the problem. I believe the problem is in the C4::Z3950 perl module. The $term variable doesn't ignore the quotes which may legitimately be in the string. I believe the error is on line 228 of the c4::Z3950 module, my version (3.8) of which reads 228 $sth=$dbh->prepare("insert into z3950queue (term,type,servers, identifier) values (?, ?, ?, ?)"); I think it should read 228 $sth=$dbh->prepare("insert into z3950queue (q{term},type,servers, identifier) values (?, ?, ?, ?)"); If there is anything I can do to further this process, or if you believe my report is in error, please let me know. Keep up the good work. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/