librivox-catalog icon indicating copy to clipboard operation
librivox-catalog copied to clipboard

Published 20 hours ago verified publisher icon LibriVox

Security vulnerability

Open arthurdarcet opened this issue 4 years ago • 4 comments

We found a serious vulnerability in the source code of this project. We've tried contacting you at info, root and postmaster @librivox.org with no success. Can you share an email we can use to discuss this?

arthurdarcet avatar Oct 13 '20 08:10 arthurdarcet

This is indeed a massive problem, and will take time and effort to fix (not just sticking a $this->db->escape in a couple of places, unfortunately). Grepping the code for $this->db->query($sql) (as opposed to $this->db->query($sql, which is the parametrized variant, and should be safe) yields:

artom@librivox-dev:/librivox/www/librivox.org/catalog$ grep -l -F '$this->db->query($sql)' -R application/
application/core/Catalog_controller.php        # Addressed in https://github.com/LibriVox/librivox-catalog/pull/170
application/libraries/Librivox_search.php
application/libraries/Librivox_simple_search.php
application/models/Project_model.php        # Addressed in https://github.com/LibriVox/librivox-catalog/pull/170
application/models/Project_reader_model.php
application/models/User_model.php
application/models/Author_model.php
application/models/Section_model.php
application/models/Form_generators_authors_model.php
application/models/Stats_model.php
application/controllers/cron/Project_status_stats.php
application/controllers/cron/Search_table_update.php

Some of these might be safe because they $this->db->escape their inputs before concatenating them into the $sql query, but each one will need investigation.

I think what I'll do is use this comment (and edit it as things progress) to track the status of each file, and link patches where applicable.

notartom avatar Oct 16 '22 23:10 notartom

https://github.com/LibriVox/librivox-catalog/pull/145 is a start at this

notartom avatar Oct 24 '22 03:10 notartom

I would suggest keeping the pull requests hidden until the fix is released (I think github has a feature for this): this vulnerability can be used to drop your database in production right now

arthurdarcet avatar Oct 24 '22 13:10 arthurdarcet

Fair point, though given the code has been public for years, I wonder how real the practical risk actually is. I couldn't find a way to make pull requests private, so what I think I'll do is just merge them bit by bit to avoid have them open for too long.

notartom avatar Oct 24 '22 14:10 notartom