http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6629
Bug #: 6629 Summary: [security] insecure use of Cookie for language selection Classification: Unclassified Change sponsored?: --- Product: Koha Version: unspecified Platform: All OS/Version: All Status: NEW Severity: critical Priority: P5 Component: Architecture, internals, and plumbing AssignedTo: gmcha...@gmail.com ReportedBy: semarie-k...@latrappe.fr QAContact: koha-bugs@lists.koha-community.org CWE-73: External Control of File Name or Path (see http://cwe.mitre.org/data/definitions/73.html) In C4/Templates.pm, in the function themelanguage, the user language is obtain from a cookie 'KohaOpacLanguage', and use 'as-it' in the path's construction for the template filename. In the next piece of code, $la is 'KohaOpacLanguage' cookie value: > # searches through the themes and languages. First template it find it > returns. > # Priority is for getting the theme right. > THEME: > foreach my $th (@themes) { > foreach my $la (@languages) { > if ( -e "$htdocs/$th/$la/modules/$tmpl" ) { > $theme = $th; > $lang = $la; > last THEME; > } > last unless $la =~ /[-_]/; > } > } In opac/opac-main.pl, same: if cookie 'KohaOpacLanguage' exists, it used. Here, the page also used HTTP_ACCEPT_LANGUAGE sanitized with regex. In koha/installer/install.pl and koha/installer/InstallAuth.pm the cookie is also used (but need verification if it used in manner that permit exploit). As the cookie could be forged (user input), and contains any characters, it could embed '../' for path-traversable. The exploitation of this problem is mitigated by the fact that the perl function '-e' seems to be resultant to '\0' inclusion (in order to strip all strings after the variable). Suggestions: - A regex sanitization should be used, or, should used C4::Output::getlanguagecookie function, which take only the first two characters (I will prefer a regex like /^[a-zA-Z]*$/ ) - An unified method should be used: a function somewhere (C4:Templates ?) that return a list of possible languages: - first element: cookie value sanitized (if exist) - next sanitized list of ENV{HTTP_ACCEPT_LANGUAGE} - next 'en' -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/