PDS: Page is vulnerable to OS command injection attacks
- Product: Aleph
- Product Version: 20, 21, 22, 23, 24
- Relevant for Installation Type: Local
Description
Command execution vulnerabilities occur when user input is passed unsanitized to a system shell for execution. An attacker can issue system commands as if he were
at a terminal on the server. This can lead to disclosure of files not normally reachable from the web as well as privilege escalation attacks against the server
itself.
Example
GET: http://server.com/F/?func=file&file_name=help-2&pds_handle=%20%7C%20sleep%2016%20%7C%20
ATTACK DETAILS:
This page is vulnerable to OS command injection attacks.
We did try installing program files for PDS from the latest Service Pack to see if that made a difference, but it doesn't seem to have any effect. We are using z311 file rather than ORACLE table.
Resolution
Ex Libris has addressed this potential PDS vulnerability.
Note that this fix does not need to be applied if you are not using PDS.
Note: The fix is part of the Aleph 24 version and has been introduced to version 23 (rep_change 004023) and the version 22 (rep_changes 002510 and 002511). Install the latest Service Pack to implement the fix for Aleph 22 and 23.
If you are using Aleph version 20 or 21, read instructions below.
How can you tell if you are using PDS?
Check the $alephe_tab/tab100. If you are using PDS, you will have a PDS-AWARE=Y entry. The default is PDS-AWARE=N.
Important Note: Third-Party product updates must be implemented after the Services Pack installation (util SP / 6 – 10 Download, Extract and Update 3rd party soft links).
Are you using Aleph version 20 or 21?
The fix is also described in the Cross-product article: " Security Update - Ex Libris Patron Directory Services (PDS) Security ... ". It can be applied independently of any Service Pack.
It has been tested specifically with Aleph 22 and 23, but should also work with versions 20 and 21.
- Article last edited: 29-Jan-2024 (first published in 2016)