cbcvebase.
CVE-2015-4633
published 2018-10-18

CVE-2015-4633: Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote…

PriorityP268critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.02%
92.4th percentile
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.

Affected

10 ranges
VendorProductVersion rangeFixed in
kohakoha>= 3.14.00 < 3.14.163.14.16
kohakoha>= 3.16.00 < 3.16.123.16.12
kohakoha>= 3.18.00 < 3.18.083.18.08
kohakoha>= 3.20.00 < 3.20.013.20.01
koha_communitykoha< 22.11.3822.11.38
koha_communitykoha23.05.00 – 23.11.15
koha_communitykoha>= 24.05.00 < 24.11.1624.11.16
koha_communitykoha>= 25.05.00 < 25.05.1125.05.11
koha_communitykoha>= 25.11.00 < 25.11.0525.11.05
koha_communitykoha>= 26.05.00 < 26.05.0126.05.01

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/koha/opac-tags_subject.pl?number=10
path/cgi-bin/koha/opac-tags_subject.pl
path/cgi-bin/koha/reports/borrowers_out.pl
commandnumber=1 PROCEDURE ANALYSE(EXTRACTVALUE(9743,CONCAT(0x5c,(BENCHMARK(4000000,MD5(0x4b754a4b))))),1)
commandCriteria=ELT(1=1,'evil')
commandCriteria=ELT(1=2,'evil')
port9001
port9002
  • Monitor GET requests to opac-tags_subject.pl where the 'number' parameter contains SQL keywords or time-based blind injection patterns such as PROCEDURE ANALYSE, BENCHMARK, or EXTRACTVALUE.
  • Monitor POST requests to reports/borrowers_out.pl for SQL injection payloads in the 'Filter' or 'Criteria' parameters, specifically ELT() boolean-based injection patterns.
  • The OPAC-side injection in opac-tags_subject.pl requires no authentication; alert on any anomalous or non-numeric value in the 'number' GET parameter from unauthenticated sessions.
  • Detect time-based blind SQLi exploitation attempts by monitoring for unusually high response latency on requests to opac-tags_subject.pl, consistent with BENCHMARK() delays.
  • The Staff interface borrowers_out.pl exploitation uses raw TCP (nc) with crafted HTTP POST; monitor for raw TCP connections to the Koha staff port carrying POST requests with SQL-laden Criteria parameters.
  • ·The time-based blind injection technique requires sqlmap's --time-sec tuning; network latency can cause false negatives or errors during exploitation, as evidenced by repeated time-delay increases during the PoC.
  • ·Filesystem read/write access via SQL injection is only possible if the MySQL server is misconfigured (e.g., FILE privilege granted or secure_file_priv not set).

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.