Koha Open Source ILS - Path Traversal in STAFF client

vendor:

Koha

by:

Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)

7.5

CVSS

HIGH

File Path Traversal

CWE

Product Name: Koha

Affected Version From: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12

Affected Version To: None

Patch Exists: YES

Related CWE: CVE-2015-4632

CPE: Koha

Metasploit: N/A

Other Scripts: N/A

Tags: cve,cve2015,lfi,edb

CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nuclei References: https://www.exploit-db.com/exploits/37388, https://nvd.nist.gov/vuln/detail/CVE-2015-4632, https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/, https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408, https://koha-community.org/koha-3-14-16-released/

Nuclei Metadata: {'max-request': 1, 'vendor': 'koha', 'product': 'koha'}

Platforms Tested: Debian Linux

2015

Koha Open Source ILS – Path Traversal in STAFF client

Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.

Mitigation:

Upgrade to version 3.20.1, 3.18.8, 3.16.12

Source

Exploit-DB raw data:

# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research (cst@sba-research.org)
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632



### CVE-2015-4632 ### 

#### Titel: ####
Directory traversal

#### Type of vulnerability: ####
File Path Traversal

##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search

##### Attack outcome:
Read access to arbitrary files on the system

#### Impact: ####
{low,medium,high,critical}
high

#### Software/Product name: ####
Koha

#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8 
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, 
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-4632

#### Timeline ####
* `2015-06-18` identification of vulnerability 
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
RGhanad-Tavakoli@sba-research.org
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: cst@sba-research.org

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search 

#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd