Time Nick Message
00:00 tcohen bug 11672
00:00 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11672 normal, P5 - low, ---, tomascohen, Pushed to Master , Untranslatable report areas in step 1 of Guided Reports�
00:00 tcohen it isn't on the stable branch, so nevermind :-D
00:06 cait good night all :)
00:07 bgkriegel__ tcohen: yes, they appear
00:07 tcohen ok, managed to exploit vulnerability on git installs
00:09 dcook tcohen: The bash one?
00:09 dcook or is this a Koha specific one?
00:09 tcohen just the bash one
00:09 tcohen gityfied setups vulnerable
00:09 tcohen however it is written :-P
00:09 rangi quick fix is an .htaccess
00:10 dcook I don't think I have any git installs open to the internet
00:10 dcook But I think Bywater exclusively use git installs..
00:10 rangi theyve been switching to packages
00:10 dcook Sweet
00:10 tcohen some people deploy with dev installs
00:10 rangi plus im sure they are upgrading
00:11 rangi hopefully those who do dev installs, are patching :)
00:11 dcook Yeah, I tried to exploit the vulnerability but we have proxies in front and they're not using bash.
00:11 tcohen curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked' http://koha-dev.biblioadmin/
00:11 tcohen ^^^ ^^ that's what I did
00:12 dcook Yeah, I did that as well
00:12 tcohen i don't think a proxy would prevent it
00:12 rangi some proxies strip user agent
00:12 tcohen (i don't think they mangle the UA)
00:12 dcook I tried a few other headers as well
00:12 rangi if they did that, it would
00:12 tcohen ah
00:12 tcohen bad guys
00:12 eythian you can use almost any header
00:12 dcook ^
00:12 rangi but yeah
00:12 tcohen exactly
00:13 rangi i wouldnt be sure a proxy is safer
00:13 rangi id patch bash and put .htaccess in
00:13 dcook The proxy doesn't have bash, but yeah still patched bash anyway
00:13 rangi to stop the dirs that shouldnt be accessible being accessible :)
00:13 tcohen we could push a .htaccess
00:13 rangi doesnt matter if the proxy has bash or not
00:13 dcook Mmm, we do have a more locked down vhost than the standard Koha install as well..
00:13 dcook Although it would still be able to touch tmp
00:14 dcook rangi: I just mean that the proxy isn't going to execute any code.
00:14 rangi *nod* but whatever it passes through to will :)
00:14 dcook And if it does something to the strings it passes to the backend server that does have bash... then nada
00:14 dcook It didn't though
00:14 tcohen dcook: if you can run touch /tmp
00:14 tcohen then you can inject whatever
00:15 dcook tcohen: ?
00:15 rangi unless the proxy is stripping all headers and user agents, from the request it passes to the webserver, theres still a way in
00:15 dcook rangi: I expected the proxied server to execute the bash but it didn't :/
00:15 dcook It must be stripping them all
00:15 eythian dcook: that's not how it works
00:15 rangi you can see if you look in the access logs
00:16 dcook rangi: Yeah, I was thinking about being a bit more thorough in checking the logs
00:16 dcook eythian: How do you mean?
00:16 eythian dcook: it won't be shelling to anything to proxy a request.
00:16 dcook eythian: That's not what I meant
00:16 dcook eythian: At least I don't think that's what I meant :p
00:16 tcohen this baby would run a remote shell using a pipe on /tmp http://pastebin.com/dEYQndKG
00:16 dcook eythian: I figured the proxy would pass the string as is to the Koha server
00:16 eythian ah, it will, in general
00:16 dcook eythian: And the Koha server would execute the code via the bash vulnerability
00:17 dcook But it didn't
00:17 eythian if it didn't, everything would break.
00:17 eythian well, koha doesn't run a shell, in most cases.
00:17 eythian it usually calls perl, and perl doesn't have the issue.
00:17 dcook Isn't Apache setting environmental variables though?
00:17 tcohen it will only happen if you point to a .sh file in CGI-mode
00:17 rangi dcook: you have to hit the right url, eg one a dev install
00:17 eythian dcook: yes, but it's bash that takes those variables and causes problems with them
00:17 eythian perl doesn't care
00:18 dcook Right
00:18 rangi where some of the .sh files are accessible
00:18 eythian and if there's no bash in the pipeline, nothing is going to happen
00:18 dcook eythian: Unless it's shelling out for whatever reason
00:18 eythian which isn't something we do in koha so far as I could tell with a quick scan.
00:18 dcook I think the only time we do is for rebuild_zebra.pl?
00:18 eythian you never run that from apache
00:19 dcook True true
00:19 dcook Although I think it was suggested at one point :p
00:19 eythian even then, we're probably not launching a shell from within it.
00:20 dcook I thought commands like "system" and such generally used a subshell
00:20 eythian nope
00:20 eythian "Does exactly the same thing as "exec LIST", except that a fork is done first and the parent process
00:20 eythian waits for the child process to exit."
00:21 eythian exec calls execvp(3) which loads the new code over the top of current process
00:21 tcohen a 'system' call is an attack vector
00:22 eythian no shell in there, unless you do it yourself.
00:22 tcohen ah
00:22 tcohen so we are safe even if we pass user-provided stuff
00:22 eythian you have to be mega careful when calling a shell anyway, because shell injection is a thing that's been around forever.
00:23 eythian yes, though I still prefer to whitelist, as there could be other bugs.
00:23 rangi the only danger afaict that is koha specific is if you are running on a git install
00:23 eythian e.g. a buffer overflow in argument processing.
00:24 eythian rangi: time for steak?
00:24 rangi yep :)
00:25 rangi bbiab
00:26 dcook Mmm food
00:26 dcook tcohen: So the git install calls a shell script on the main page?
00:27 tcohen dcook: sorry, wrong line
00:27 tcohen curl -H 'User-Agent: () { :;}; /usr/bin/touch /tmp/hacked' http://koha-dev.biblioadmin/cgi-bin/koha/misc/bin/sip_run.sh
00:27 tcohen ^^^^ that was the one
00:27 tcohen and you notice the problem more clearly
00:28 tcohen sorry for the confussion
00:28 dcook Mmm, I gotcha now
00:28 dcook I see now about the .htaccess as well
00:28 dcook All has been made clear :D
00:28 * tcohen is glad to hear
00:29 * dcook now seeks to unlock his wife's disabled ipad
00:29 tcohen dcook: go to greece, leave the IRC
00:29 dcook Ah, I don't leave for another... 11 hours :)
00:29 dcook Still have a full day of work left ahead of me
00:29 dcook And last minute prep
00:35 tcohen :_D
00:39 wizzyrea hm yeah git installs on the public internet are kind of scary
00:40 dcook totes
00:41 * dcook sings a song he just invented about multitasking
00:41 dcook It's basically just me singing "multitasking" over and over again
00:48 dcook Bloody hell, Apple...
00:48 dcook I guess it's secure but yikes
00:51 wizzyrea @later tell oleonard in the process of looking for something else, I found this little gem of a conversation http://irc.koha-community.org/koha/2013-10-03#i_1397312
00:51 huginn wizzyrea: The operation succeeded.
01:00 dcook So it turns out 6 or so password tries and your Apple device is totally bricked until you reset the device to factory settings
01:00 dcook Ideally, you've backed up your device recently, so it shouldn't matter too much.
01:00 dcook [off] Of course, my partner doesn't listen to me about the need to backup regularly :P
01:01 wizzyrea errrrr really?
01:01 dcook Yeppers
01:01 dcook Fortunately this is a tablet and not a phone. A phone would be much worse.
01:01 wizzyrea that seems... unnecessaryl
01:01 * dcook is glad this happened the day before we leave for holiday rather than "on" holiday
01:01 dcook wizzyrea: Agreed
01:01 wizzyrea nothing you can do from the web interface?
01:01 dcook Nopes
01:01 dcook That would just make sense :)
01:01 wizzyrea after logging in and giving a blood sample
01:02 wizzyrea and presenting an original of the purchase receipt
01:02 dcook Or even say your Apple ID and password
01:02 wizzyrea that is nowhere near secure enough.
01:02 wizzyrea ^.^
01:03 dcook When compared with the blood sample, sure :p
01:03 dcook It would be hackable.
01:03 dcook Being able to remotely erase a device is certainly different to remotely unlocking.
01:04 dcook Of course, if you backup to the cloud, and your cloud gets hacked anyway...
01:04 dcook Then the security of protecting your data on your device becomes a bit moot
01:05 dcook Honestly, I kind of like this idea.
01:05 dcook I think you can plug away endlessly at an Android device
01:19 wizzyrea possibly so
01:20 wizzyrea locking people out and requiring a factory wipe though
01:20 wizzyrea that seems excessive.
01:21 wizzyrea they could 2 factor it, make you login online and (send an email, text, phone call, etc)
01:21 wizzyrea that would require effort for them though.
01:21 dcook Hmm, doable though
01:21 dcook Since it's Apple, it would be pretty easy too
01:22 dcook I liked my ipod classic, but since it was getting older and ultimately stolen, I don't miss Apple
01:22 * dcook enjoys his Android tablet and phone
01:22 wizzyrea yeah same
01:22 eythian androids lock out
01:23 eythian but they lock out to require your google creds I think
01:23 dcook eythian: Might be a setting for that? Or maybe I just enter my password correctly most of the time
01:23 wizzyrea i haven't ever had that problem
01:23 eythian which apparently is an issue if you have wifi off on a tablet.
01:23 eythian It takes quite a few goes
01:23 wizzyrea (oops)
01:23 dcook 25 maybe?
01:23 eythian I've heard it happening to people.
01:23 dcook 25 sounds familiar..
01:23 eythian p'raps
01:23 dcook Interesting :)
01:23 wizzyrea can't say I've ever messed it up that many times.
01:23 dcook Of course, I don't keep anything on my tablet
01:24 dcook Nothing unique that is
01:24 eythian it looks like some models wipe at 10
01:24 dcook Just lots of comics O_O
01:24 eythian but I think that's specific to those manufacturers.
01:25 wizzyrea I want to know why the australia post just followed me.
01:25 dcook Probably
01:25 wizzyrea on twitter.
01:25 dcook wizzyrea: Yeah, they followed me a while ago too. It's weird.
01:25 dcook Is it verified?
01:25 * dcook suspects perhaps that it is not actually the AP
01:25 dcook wth... Java, you're killing me
01:25 dcook I already installed the third party library..
01:27 dcook Well, Maven that's killing me..
01:28 dcook Mmm, I have an ideer..
01:28 dcook DSpace should have a more global community, so I wouldn't have to rant about DSpace related things to you folks :p
01:30 dcook Mmmm..
01:30 * dcook has a feeling Maven is saying build successful when it's actually not...
01:40 dcook Yee-ah. That's what I'm talkin' 'bout.
01:52 tcohen night #koha
01:53 dcook night tcohen :)
01:53 dcook See you in a month :)
01:53 dcook Err talk to you in a month
01:53 dcook Have a good Kohacon!
01:57 wizzyrea have fun dcook
02:09 dcook thanks wizzyrea :)
02:09 dcook Still 5 hours before I head out for the day :)
02:10 wizzyrea oh never mind then.
02:10 * dcook just likes collecting well wishes he guesses
04:18 wizzyrea ok, well it's beer o'clock in NZ, dcook, have an excellent time, take lots of pictures, have a great time, and come home safely.
04:18 wizzyrea redundant wizzy is redundant
04:19 dcook :)
04:19 dcook Thanks, wizzyrea :)
04:19 dcook I'll try to have a both excellent and great time :)
04:19 dcook We'll be safe and have fun!
04:19 dcook Also lots of photos.
04:19 dcook Enjoy beer o'clock!
04:27 eythian hi dcook
04:27 eythian bye dcook, enjoy Greece
04:27 eythian !
04:50 dcook Thanks, eythian!
04:55 dcook Bloody Apple...
04:55 dcook Resetting this iPad has been such a labour..
04:56 dcook continues to be*
05:32 * magnuse waves
05:36 dcook yo magnuse
05:51 magnuse wassup dcook
05:51 magnuse in da house!
05:51 magnuse @wunder boo
05:51 huginn magnuse: The current temperature in Bodo, Norway is 8.0°C (7:20 AM CEST on September 26, 2014). Conditions: Light Rain. Humidity: 81%. Dew Point: 5.0°C. Windchill: 4.0°C. Pressure: 29.09 in 985 hPa (Falling).
05:53 dcook hehe
05:53 dcook Scrambling to finish up a few things all at once in my last hour or so of work ;)
06:10 magnuse kia ora cait
06:19 cait kia ora :)
06:38 reiveune hello
06:49 alex_a bonjour
06:56 Joubu Bonjour
06:56 wahanui what's up, Joubu
07:02 dcook Ahhh
07:02 dcook Holiday loooooooms!
07:02 dcook So exciting
07:14 fridolin hie all
07:28 gaetan_B hello
07:36 cait bye all... spending another day on atrain
07:57 Joubu magnuse: what do you think about the new patch on bug 10743?
07:57 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10743 enhancement, P5 - low, ---, nengard, RESOLVED FIXED, add style to privacy rules�
07:58 Joubu hum... not this one
07:58 Joubu bug 10473
07:58 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=10473 normal, P3, ---, amitddng135, Signed Off , Prompt for confirmation if more than 99 items are being added�
08:01 * magnuse commented on the bug
08:03 Joubu thanks magnuse! :)
09:51 cait @wunder Konstanz
09:51 huginn cait: The current temperature in Taegerwilen, Taegerwilen, Germany is 12.2°C (11:50 AM CEST on September 26, 2014). Conditions: Overcast. Humidity: 91%. Dew Point: 11.0°C. Pressure: 30.33 in 1027 hPa (Steady).
10:27 cait ashimema: around?
11:58 oleonard Hi #koha
11:59 oleonard sql whatcha-ma-jigger?
11:59 wahanui sql whatcha-ma-jigger is http://wiki.koha-community.org/wiki/SQL_Reports_Library
11:59 oleonard Sweet.
12:02 tcohen heh
12:02 tcohen morning
12:05 magnuse ¡hola!
12:06 tcohen hola Magnus
12:11 * cait waves from another train
12:17 cait1 @wunder Cordoba, Argentina
12:17 huginn cait1: The current temperature in Bo Alto de San Martin, Cordoba City, Argentina is 15.0°C (9:15 AM ART on September 26, 2014). Conditions: Scattered Clouds. Humidity: 36%. Dew Point: 0.0°C. Pressure: 30.24 in 1024 hPa (Rising).
12:17 * cait1 tries to do a git bz attach but internet not working well :(
12:27 oleonard I find that sorting checkouts by date due in circulation is broken in master
12:31 cait @wunder Dortmund
12:31 huginn cait: Error: No such location could be found.
12:31 cait @wunder Bochum
12:31 huginn cait: The current temperature in Bochum Weitmar, Bochum, Germany is 16.7°C (2:25 PM CEST on September 26, 2014). Conditions: Mostly Cloudy. Humidity: 98%. Dew Point: 16.0°C. Pressure: 30.18 in 1022 hPa (Steady).
12:37 cait Joubu: around?
12:45 Joubu cait: yep
12:45 cait ah :)
12:45 cait i thik i figured it out
12:45 cait i am looking at the serials claiming patch and the qa script noted aproblem with the pod
12:46 Joubu cait: 5342 ?
12:46 cait yep
12:46 cait i have a tiny follow up adding a blank line - that seems to fix it
12:47 cait don't worry, i will continue testing :)
12:48 Joubu cait: weird, I only get a warning on claims.tt about a tab chat
12:48 Joubu on which file did you get the pod error?
12:48 cait i fixed that too
12:48 cait for me it complained in serials.pm about a missing blank line before the =cut too
12:49 cait around line 26xx
12:49 Joubu cait: ok. The patch does not change the pod...
12:50 cait i know
12:50 cait not sure why the qa script picked it up
12:50 cait but probably not bad adding the line
12:50 Joubu cait: yep, thanks!
12:50 cait Joubu: do you know where we have a list of the numerical serial status?
12:50 cait hm maybe in the template
12:51 Joubu cait: yes. There is another patch, but still stuck in NSO I believe
12:52 Joubu cait: bug 11814, there is a list of serial status in it
12:52 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11814 enhancement, P5 - low, ---, jonathan.druart, Needs Signoff , Serial statuses should be stored in constants�
12:52 cait thx, i am looking at serials-collection.tt :)
12:52 cait 7 = claimed :)
12:52 oleonard Ugh. git blame me, again.
12:53 * cait hands oleonard the box of cookies
12:53 oleonard I have a feeling it's going to take the whole box
12:53 Joubu :)
12:55 cait oleonard: which piece of code is blaming you?
12:55 oleonard It was my fix for Bug 12899 that broke sorting by date due of checkouts on the circ page
12:55 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12899 normal, P5 - low, ---, oleonard, Pushed to Stable , Row grouping in checkouts table is alphabetical and layout depends on words chosen in translation�
13:07 Viktor Hi #koha
13:08 Viktor I happened to get bug 13 000 for something I wanted to discuss. Not shure if that's a good sign or not :)
13:08 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13 normal, P2, ---, chris, CLOSED FIXED, aqbooksellers.pl is missing in /admin/ directory�
13:08 Viktor bug 13000
13:08 huginn �04Bug http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13000 enhancement, P5 - low, ---, gmcharlt, NEW , Split additem.pl into three tabs to allow implicit posting of the form with [enter]�
14:03 druthb @wunder 77063
14:03 huginn druthb: The current temperature in Briargrove Park, Houston, Texas is 24.3°C (9:02 AM CDT on September 26, 2014). Conditions: Clear. Humidity: 68%. Dew Point: 18.0°C. Pressure: 30.06 in 1018 hPa (Steady).
14:27 rambutan @wunder 64507
14:27 huginn rambutan: The current temperature in Wyatt Park, St Joseph, Missouri is 19.8°C (9:27 AM CDT on September 26, 2014). Conditions: Mostly Cloudy. Humidity: 81%. Dew Point: 16.0°C. Pressure: 30.16 in 1021 hPa (Rising).
15:12 Joubu cait: around?
15:12 cait only for a quick moment more
15:12 Joubu thanks to QA 5342 :)
15:12 cait :)
15:12 Joubu cait: just a quick question, about 6)
15:12 cait i would have been a bit faster if my mobile broadband didn't decide to die and disappear
15:12 cait :(
15:12 Joubu did you have already a primary email?
15:13 Joubu or did you define it to test this patch?
15:13 cait hm no i entered it and saved it
15:13 Joubu ok, you had to logout/login
15:13 cait aha!
15:13 Joubu Yep, I had the same problem :)
15:13 cait so you can probably scratch 6) then :)
15:13 Joubu thanks
15:13 cait i thought as Paola tested it, it's like to be configuration or somethong on my side
15:14 cait but couldn't figure it out :)
15:15 cait i guess the tests might pass for you too... maybe some data problem
15:16 cait i will try to get back to this one soon :)
15:16 cait bye all
15:36 Joubu have a good weed-end #koha!
15:50 fridolin see u
19:23 * cait wave
19:24 rambutan is there any place to post comments on the CoC?
19:24 cait hi rambutan
19:24 rambutan hi cait
19:25 cait i think you could use the mailing list
19:25 cait i think there is an old thread, but probably could just start a new one
19:25 rambutan yea, I could
19:53 cait hi tcohen
19:58 tcohen hi cait