ByWater Solutions bywater-koha-xslt systempreferences.pl StringSearch sql injection

Vulnerability

A critical SQL injection vulnerability exists in the StringSearch function within admin/systempreferences.pl of ByWater Solutions' bywater-koha-xslt. The function constructs an SQL query by directly concatenating user-supplied values from the name parameter into the query string without using parameterized queries [1]. This allows an attacker to inject arbitrary SQL commands. Due to the continuous delivery rolling release model, no specific affected version numbers are available; however, all versions prior to the patch are vulnerable.

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP request to the admin/systempreferences.pl endpoint with a malicious name parameter containing SQL injection payloads. No authentication is explicitly required based on the available information, but the endpoint may be restricted to authenticated users in typical deployments. The vulnerable code path directly interpolates the name value into the SQL statement, enabling the attacker to manipulate the query.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to unauthorized access, disclosure, modification, or deletion of sensitive data stored in the Koha system. Given the critical severity, full compromise of the database is possible.

Mitigation

The fix is implemented in commit 9513b93c828dfbc4413f9e0df63647401aaf4e58 [1], which replaces the vulnerable string interpolation with parameterized queries using placeholders. Users should apply this patch immediately. As the product uses rolling releases, no version-specific update is provided; the patch should be integrated into the current deployment. No workarounds are documented.