CVE-2015-4639 in Libraries
Summary
by MITRE
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha Libraries 3.20.x before 3.20.1, 3.14.x before 3.14.16, 3.16.x before 3.16.12 allow remote attackers to (1) hijack the authentication of users with access to the OPAC interface and who have permissions to create public lists for requests that inject arbitrary web script or HTML via the addshelf parameter to opac-shelves.pl, (2) hijack the authentication of users with access to the OPAC interface and who have permissions to create public lists for requests that inject arbitrary web script or HTML via an unspecified list name parameter to opac-addbybiblionumber.pl, (3) hijack the authentication of library administrator users for requests that execute arbitrary web script or HTML via virtualshelves/shelves.pl when a shelf name contains web script or HTML, or (4) hijack the authentication of users with access to the OPAC interface and who have permissions to create public lists for requests that execute arbitrary web script or HTML by adding a biblio to a list whose name contains web script or HTML.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/31/2019
The CVE-2015-4639 vulnerability represents a critical cross-site request forgery flaw affecting Koha Libraries versions prior to specific patch releases. This vulnerability resides within the open-source integrated library system that manages library operations including cataloging, circulation, and patron services. The flaw specifically targets the OPAC (Online Public Access Catalog) interface where users can create public lists, making it particularly dangerous as it affects both regular patrons and library administrators who have elevated privileges within the system.
The technical implementation of this CSRF vulnerability stems from insufficient validation and sanitization of user input parameters within multiple script endpoints. Attackers can exploit this weakness by crafting malicious requests that leverage the authenticated sessions of legitimate users to perform unauthorized actions. The vulnerability manifests through four distinct attack vectors that all center on the manipulation of list creation and management functions within the OPAC interface. The first vector involves the addshelf parameter in opac-shelves.pl, while the second utilizes an unspecified list name parameter in opac-addbybiblionumber.pl. The third and fourth vectors target virtualshelves/shelves.pl and general list creation functions respectively, all of which allow injection of arbitrary web script or HTML content.
The operational impact of this vulnerability extends beyond simple data theft or modification. Since the attack can hijack authenticated sessions of users with varying permission levels, including library administrators, the potential for damage is significant. An attacker could create malicious public lists that execute arbitrary scripts when viewed by other users, potentially leading to session hijacking, data exfiltration, or further system compromise. The vulnerability affects users who can create public lists, which typically includes both regular patrons and staff members, making the attack surface particularly broad. The injection of malicious code through shelf names and list parameters creates persistent threat vectors that could remain active until the compromised lists are manually removed or the system is patched.
This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and maps to ATT&CK technique T1566 for the initial compromise through web-based attacks. The lack of proper input validation and the absence of anti-CSRF tokens in these endpoints creates a fundamental security gap that allows attackers to manipulate authenticated sessions without requiring credentials. The patched versions of Koha (3.20.1, 3.14.16, and 3.16.12) address this by implementing proper input sanitization, CSRF token validation, and enhanced parameter handling in the affected scripts. Organizations should implement immediate mitigations including patching affected systems, implementing web application firewalls, and conducting security reviews of all user-input handling mechanisms to prevent similar vulnerabilities from occurring in other components of their library management systems.