Skip to content

Zebra allows access to internal configuration files #56

New issue
New issue
Open
Open
Zebra allows access to internal configuration files#56
@powerriegel

Description

@powerriegel
powerriegel
opened on Jun 5, 2024

Zebra 2.2.2-1 on Debian Bullseye allows to access
DOMAIN:ZEBRAPORT/app/etc/local.xml

which contains password and user name in clear text.

<zs:explainResponse>
<zs:version>2.0</zs:version>
<zs:record>
<zs:recordSchema>http://explain.z3950.org/dtd/2.0/</zs:recordSchema>
<zs:recordXMLEscaping>xml</zs:recordXMLEscaping>
<zs:recordData>
<explain xml:base="../../zebradb/explain-biblios.xml">
<!--
 try stylesheet url: http://./?stylesheet=docpath/sru2.xsl 
-->
<serverInfo protocol="SRW/SRU/Z39.50">
<host>localhost</host>
<port>9999</port>
<!--
 <database numRecs="1314" lastUpdate="2006-03-15 09-05-33">
         Default</database> 
-->
<database>biblios</database>
<!--
<authentication>
      <user>xxxxxxxxxxx</user>
      <group>xxxxxxxxxxx</group>
      <password>xxxxxxxxxxxx</password>
    </authentication>
-->
</serverInfo>

If SRU is enabled, then the path would be DOMAIN/sru/etc/local.xml with the following standard Apache2 lines. This might be accessible world wide if you use SRU.

ProxyPass /sru/ http://localhost:ZEBRAPORT/
ProxyPassReverse /sru/ http://localhost:ZEBRAPORT/

We're using Zebra together with Koha 22.11.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions