On 30/08/2007, at 8:22 PM, Andrew Yager wrote:
Hi,
First let me say that this is not a very serious security issue, so please don't freak out.
We've just done an audit of Koha (OPAC and Intranet) and have found a number of XSS vulnerabilities in the code. This allows a malicious attacker, with a carefully crafted web site to potentially trick your users into providing sensitive information to a site other than yours (e.g. usernames and passwords).
Is anyone aware of patches for these currently in circulation? If not, I'll have a look at the problems and attempt to address them and then release a patch.
Hi Andrew We did fix this up a while back for the opac, but overtime vulnerabilities might have crept back in. I'm not too worried about the intranet side, if someone malicious has access to that, you have bigger problems than xss :-) But Id certainly like to see patches for the opac. What you might like to do is get the latest version from git http://wiki.koha.org/doku.php?id=en:development:git_usage This is the code that will be 3.0. If you want to discuss this more, it would probably be best on the koha-devel list, which I'd encourage you to join if you haven't already. Chris -- Chris Cormack chris.cormack@liblime.com VP Research and Development www.liblime.com LibLime +64 21 542 131