Cross-site scripting vulnerability - Koha 16.11
We received email from our campus InfoSec group that a portion of our Koha site was vulnerable to cross-site scripting attacks. Below is the gist of the email we received: GET: https://[our server]cgi-bin/koha/opac-shelve s.pl?op=list&category=%22/%3E%3Cimg%20src=x%20onerror=% 22alert(%27Doh!%20Insert%20Hax%20Here.%27)%22%20/%3E%3C!%E2%80%94 ATTACK DETAILS: This page is vulnerable to Cross-site scripting attacks. Cross-site scripting attacks, in general, are an issue because they are enabling attacks. Specially-crafted malicious URLs can steal authentication tokens/cookies when a logged-in user visits them, giving the attacker full access to that user's account in the application. Reflected XSS attacks, in particular, are a concern as they can be used to socially engineer a user into clicking on what appears to be a legitimate URL. Please also consider the following: - Web application security testing should be performed regularly, especially for any public web applications. This includes tracking application inventory, general code review and vulnerability assessments using web application security testing tools. - All input received by the web server should be checked before it is processed. The best method is to remove all unwanted input and accept only expected input. For example, ensure angle brackets are not allowed in any input to any Web page fields. Additionally, no syntactic input should be allowed. Syntactic input can come from databases, other servers, etc. All input into a Web application must be filtered to ensure the delivery of clean content to individuals using your service. - Other References: OWASP Guide to Building Secure Web Applications and Web Services https://www.owasp.org/index.php/Category:OWASP_Guide_Project -------------- Does anyone know if there is a newer version of Koha which addresses these issues? Thanks, Tom -- *Tom Hanstra* *Sr. Systems Administrator* hanstra@nd.edu <http://library.nd.edu/>
Please open a bug report in the "Koha security" project https://bugs.koha-community.org/bugzilla3/enter_bug.cgi That way we can keep the vulnerability hidden until a fix is published On Wed, 13 Sep 2017 at 15:35 Tom Hanstra <hanstra@nd.edu> wrote:
We received email from our campus InfoSec group that a portion of our Koha site was vulnerable to cross-site scripting attacks. Below is the gist of the email we received:
GET: https://[our server]cgi-bin/koha/opac-shelve s.pl?op=list&category=%22/%3E%3Cimg%20src=x%20onerror=% 22alert(%27Doh!%20Insert%20Hax%20Here.%27)%22%20/%3E%3C!%E2%80%94
ATTACK DETAILS: This page is vulnerable to Cross-site scripting attacks.
Cross-site scripting attacks, in general, are an issue because they are enabling attacks. Specially-crafted malicious URLs can steal authentication tokens/cookies when a logged-in user visits them, giving the attacker full access to that user's account in the application. Reflected XSS attacks, in particular, are a concern as they can be used to socially engineer a user into clicking on what appears to be a legitimate URL.
Please also consider the following:
- Web application security testing should be performed regularly, especially for any public web applications. This includes tracking application inventory, general code review and vulnerability assessments using web application security testing tools.
- All input received by the web server should be checked before it is processed. The best method is to remove all unwanted input and accept only expected input. For example, ensure angle brackets are not allowed in any input to any Web page fields. Additionally, no syntactic input should be allowed. Syntactic input can come from databases, other servers, etc. All input into a Web application must be filtered to ensure the delivery of clean content to individuals using your service.
- Other References:
OWASP Guide to Building Secure Web Applications and Web Services https://www.owasp.org/index.php/Category:OWASP_Guide_Project --------------
Does anyone know if there is a newer version of Koha which addresses these issues?
Thanks, Tom
-- *Tom Hanstra* *Sr. Systems Administrator* hanstra@nd.edu
<http://library.nd.edu/> _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
participants (2)
-
Jonathan Druart -
Tom Hanstra