Evergreen

Insufficient parameter validation allows unauthenticated exfiltration of AT output

Bug #2070078 reported by Jason Boyer
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Fix Released
Critical
Unassigned
Evergreen 3.13.1
3.10
Fix Released
Critical
Unassigned
Evergreen 3.10.5
3.11
Fix Released
Critical
Unassigned
Evergreen 3.11.6
3.12
Fix Released
Critical
Unassigned
Evergreen 3.12.4

Bug Description

When printing lists (or the basket, which is the temporary list) you're routed through /eg/opac/record/print_preview/<hash>?blahblah, and if you click the Print Now button you are sent to /eg/opac/record/print/<ate_id> and then you get your printout.

I wonder what happens if you change that number.

Spoiler alert: check out the sweet password reset email printout in the attached image.

So it's possible to retrieve the output of any / every AT event in the system by simply starting at 1 and incrementing until you get bored of it. Additionally, while you have to be logged in to request a print preview, you do /not/ have to be logged in to print the output, so anyone can do this to any system without logging in.

Branch coming soon that verifies that the event in question has the appropriate hook for the requested action.

Revision history for this message
Jason Boyer (jboyer) wrote :
Revision history for this message
Jason Boyer (jboyer) wrote :

Here's the branch that addresses it; in collab since Mike actually wrote it, not that I necessarily anticipate any additions.

security/collab/jboyer/lp2070078_plug_print_leak

Jeff Davis (jdavis-sitka)
Changed in evergreen:
status: New → Confirmed
Jane Sandberg (sandbergja)
Changed in evergreen:
assignee: nobody → Jane Sandberg (sandbergja)
Revision history for this message
Jane Sandberg (sandbergja) wrote :

Thanks, Jason and Mike! This is a very good catch. I was able to confirm this on enhanced concerto:
1. Enable the password reset action trigger
2. Adding an email address to a patron in the staff client
3. Requesting a password reset for them in the OPAC
4. As opensrf: action_trigger_runner.pl --run-pending
5. As an unauthenticated user, creating a basket in the OPAC and printing it
6. Closing the print dialog and changing the ID in the URL
7. Using the provided password reset URL to change the patron's password

The patch didn't work for me out of the box, I got Internal Server errors even when trying to view bib list output, and perl -c said:

Global symbol "$self" requires explicit package name (did you forget to declare "my $self"?) at /home/opensrf/repos/Evergreen/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Record.pm line 729.
/home/opensrf/repos/Evergreen/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader/Record.pm had compilation errors.

I pushed my signoff, along with a lil follow up commit to make it compile to security/collab/sandbergja/lp2070078_plug_print_leak. I also took the opportunity to add the LP number and a release note to the original commit. Definitely feel free to amend if my follow-up is not what you had in mind, or if the release note is not to your liking.

Have a good weekend!

Changed in evergreen:
assignee: Jane Sandberg (sandbergja) → nobody
tags: added: pullrequest signedoff
Revision history for this message
Galen Charlton (gmc) wrote :

I've reviewed and verified the latest branch. My signoff is now sitting in security/user/gmcharlt/lp2070078_plug_print_leak and will be incorporated into the overall branches I'm preparing for the June 2024 security release.

Galen Charlton (gmc)
Changed in evergreen:
milestone: none → 3.13.1
Galen Charlton (gmc)
Changed in evergreen:
status: Confirmed → Fix Released
Galen Charlton (gmc)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.