Dear community, In our Koha version 3.12.01 which has worked on Ubuntu 12.04 we have some problems. Recently our Web provider checked Koha security through "Acunetix" Web application security programm and founded some high-severity type vulnerabilities. First threat : ********************************** Cross site scripting (verified) Affects Variation /cgi-bin/koha/opac-search.pl /cgi-bin/koha/opac-search.pl URL encoded GET input count was set to 50'"()&%<ScRiPt
prompt(901653)</ScRiPt> GET /cgi-bin/koha/opac-search.pl?count=50%27%22%28%29%26%25%3cScRiPt%20%3eprompt%28901653%29%3c%2 fScRiPt%3e&format=rss2&idx=pb,wrdl&limit=mc-itype,phr:AR&q=1&sort_by=acqdate_dsc HTTP/1.1 Referer: http://library.parliament.am:80/ (line truncated) ...00%2500query_cgi%2508%2580%2505%2500%2500%2500total%250A%2511callnum%252Cwrdl%253A%25201%2 52C%2520%250A%2500%2500%2500query_desc%2504%2503%2504%2500%2500%2500%2506%25C5Q%258FR%2500%25 00%2500%2500%2504%2500%2500%2500time%250A7format%253Drss2%2526idx%253Dsu%25252Cwrdl%2526limit %253Dmc-itype%25252Cphr%25253AAR%2526q%253D1%2509%2500%2500%2500query_cgi%2508%2580%2505%2500 %2500%2500total%250A%251Bsu%252Cwrdl%253A%25201%252C%2520mc-itype%252Cphr%253AAR%250A%2500%25 00%2500query_desc; KohaOpacLanguage=en Host: library.parliament.am Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */*
Second : *************************************** Application error message Affects Variation /cgi-bin/koha/opac-search.pl /cgi-bin/koha/opac-search.pl URL encoded GET input count was set to '"() Error message found: Internal Server Error GET /cgi-bin/koha/opac-search.pl?count=%27%22%28%29&format=rss2&idx=ti&q=1&sort_by=acqdate_dsc HTTP/1.1 (line truncated) ...00%2500query_cgi%2508%2580%2505%2500%2500%2500total%250A%2511callnum%252Cwrdl%253A%25201%2 52C%2520%250A%2500%2500%2500query_desc%2504%2503%2504%2500%2500%2500%2506%25C5Q%258FR%2500%25 00%2500%2500%2504%2500%2500%2500time%250A7format%253Drss2%2526idx%253Dsu%25252Cwrdl%2526limit %253Dmc-itype%25252Cphr%25253AAR%2526q%253D1%2509%2500%2500%2500query_cgi%2508%2580%2505%2500 %2500%2500total%250A%251Bsu%252Cwrdl%253A%25201%252C%2520mc-itype%252Cphr%253AAR%250A%2500%25 00%2500query_desc; KohaOpacLanguage=en Host: library.parliament.am Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */* **************************** Security programme results see an attached. How to prevent xss attacs and protect opac-search.pl ? Best regards, Araik
On 27 November 2013 00:54, <araik@flib.sci.am> wrote:
Dear community, In our Koha version 3.12.01 which has worked on Ubuntu 12.04 we have some problems. Recently our Web provider checked Koha security through "Acunetix" Web application security programm and founded some high-severity type vulnerabilities.
The good news is, it isn't easily exploitable as the problem only occurs on the rss feed page, and shows up as <opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage> Which most browsers, feed readers, etc will throw away. However there is no reason we shouldn't be escaping that input anyway. There is a patch for this at http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11307 The bigger issue for you is that in July 2013, a security release was released, fixing a more serious issue. You should upgrade your 3.12.01 to at least 3.12.03 to get the fix for that (unless you have patched manually) http://koha-community.org/security-release-july-2013/ Chris
participants (2)
-
araikļ¼ flib.sci.am -
Chris Cormack