Koha Command Injection Vulnerability in Task Scheduler Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in the Koha Integrated Library System, specifically in the task scheduler feature. This issue affects Koha versions prior to 24.05.07, 24.11.02, 23.11.12, and 22.11.24. The vulnerability arises in the 'tools/scheduler.pl' component, where user input from the 'report' parameter is directly inserted into a shell command without adequate validation or sanitization. An authenticated administrator with access to the task scheduler can exploit this flaw to execute arbitrary commands on the server.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary commands on the server with the privileges of the web server user. This could lead to unauthorized access, modification, or deletion of library data, and potentially allow further access to the host system.

Reproduction

To reproduce this vulnerability, an authenticated user with administrative privileges can send a POST request to '/cgi-bin/koha/tools/scheduler.pl' with a crafted 'report' parameter. The parameter should include a valid report ID followed by shell metacharacters, such as triple backticks, to inject and execute commands on the server. After the request is processed, the injected command will be executed, and any output can be captured and used to demonstrate the successful exploitation of the vulnerability.

Remediation

Users can upgrade to Koha versions 24.05.07, 24.11.02, 23.11.12, or 22.11.24 to address this vulnerability.