Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    PDS: Page is vulnerable to OS command injection attacks

     

    • Product: Aleph
    • Product Version: 20, 21, 22, 23
    • Relevant for Installation Type: Dedicated-Direct, Direct, Local, Total Care

     

    Description

    GET: http://xxxx.edu/F/?func=file&file_name=help-2&pds_handle=%20%7C%20sleep%2016%20%7C%20 

    ATTACK DETAILS: 
    This page is vulnerable to OS command injection attacks. 

    Command execution vulnerabilities occur when user input is passed unsanitized to 
    a system shell for execution. An attacker can issue system commands as if he were 
    at a terminal on the server. This can lead to disclosure of files not normally 
    reachable from the web as well as privilege escalation attacks against the server 
    itself. 

    We did try installing program files for PDS from the latest Service Pack to see if that made a difference, but it doesn't seem to have any effect. We are using z311 file rather than ORACLE table. 

    Resolution

    Ex Libris has addressed this potential PDS vulnerability.  The fix is described in the Cross-product article:   " Security Update - Ex Libris Patron Directory Services (PDS) Security ... ".  It can be applied independently of any Service Pack.  It has been tested specifically with Aleph 22 and 23, but should also work with versions 20 and 21.

    Note that this fix does not need to be applied if you are not using PDS.   How can you tell if you are using PDS?  Check the $alephe_tab/tab100.  If you are using PDS, you will have a PDS-AWARE=Y entry.  (Note:  the default is PDS-AWARE=N.)

    Note that the fix is part of the 22.1.12 Service Pack, which is now on the ftp server.  { Important Note: Third-Party product updates must be implemented before the Services Pack installation (util SP / 6 – 10 Download, Extract and Update 3rd party soft links). }

    The version 23 fix is rep_change 004023 and the version 22 fix is rep_changes 002510 and 002511.

     


    • Article last edited: 17-Apr-2019