MACRO mkurl Does Not Scrub Invalid CGI Parameters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Undecided
|
Unassigned |
Bug Description
Evergreen Version: 3.5.3+ (including current master)
OpenSRF Version: N/A
Linux Version: N/A
PostgreSQL Version: N/A
The mkurl macro does not strip all invalid or ignored parameters and values from input URLs when building links in the OPAC templates. While my own testing has not revealed any current instances of this being exploitable in Evergreen, it give the appearance of Evergreen being vulnerable to the following attacks:
* Clickjacking: https:/
* Cross-Site Scripting (XSS): https:/
* Command Injection: https:/
* SQL Injection: https:/
The above comes from a SecurityMetrics scan of a production Evergreen system. The reason given for reporting these vulnerabilities is that the "web server hosts CGI scripts that fail to adequately sanitize request strings." In all cases, it comes down to the mkurl macro repeating the injected code in the URLs that it builds, even though no case was found where the example code actually executed or had any effect on the Evergreen server or user's web browser.
The fix is to remove all unnecessary parameters and extraneous text from parameter values in the mkurl macro itself.
I have made this a public security bug because it triggers failure on automated security audits even though it does not seem to be exploitable in recent Evergreen releases.