This interface doesn't require authentication and allows SQL to be injected into the system. The limitation is that the SQL statements must match $line =~ /^\s*(?i:DELETE\s+FROM|INSERT\s+INTO)\s+(?:marc_tag_structure|marc_subfield_structure)/ and $line =~ /'$frameworkcode'/
I've confirmed both parts of the bug. I'm not sure that I see a way to get DML through, since we're not doing mysql_multi_statements, but INSERT INTO marc_subfield_structure ... SELECT FROM... would provide a way for an attacker to get the contents of arbitrary rows from any table in the Koha database. Serious consideration should be given to simply dropping exporting and importing the frameworks as SQL -- we can find somebody to maintain CSV versions of the stock ones for the website.
I've attached a patch that fixes the lacked of authentication. Not setting the status to needs signoff yet because the second part of the bug is not yet tackled, but anybody should feel free to review the first patch.
Pushed to master.
Included in the following releases: 3.8.23, 3.10.13, 3.12.10, and 3.14.3.
AltStyle によって変換されたページ (->オリジナル) / アドレス: モード: デフォルト 音声ブラウザ ルビ付き 配色反転 文字拡大 モバイル