Koha Library Software Command Injection Vulnerability in Cover Image Upload

A command injection vulnerability has been identified in Koha Library Software versions prior to 23.05.10. The issue arises in the cover image upload feature, specifically within the 'tools/upload-cover-image.pl' script. The vulnerability allows remote code execution by failing to properly sanitize user-controlled filenames before unzipping uploaded ZIP files. An authenticated user with high privileges can exploit this by uploading a ZIP file with a malicious filename containing shell metacharacters, which are then executed on the server when the 'Process Images' button is clicked.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary operating system commands on the server, potentially leading to a complete system compromise.

Reproduction

To reproduce this vulnerability, log into Koha as a high-privilege user and navigate to the cover image upload tool. Upload a ZIP file and intercept the request with a proxy tool like Burp Suite. Modify the filename of the uploaded file to include a command injection payload, such as a command enclosed in backticks. After uploading the file, click 'Process Images' to trigger the execution of the injected command on the server.

Remediation

Users can upgrade to Koha version 23.05.10 or later, where this vulnerability has been fixed.