Potential XSS attack vector in opac
When our site was scanned for potential vulnerabilities, they came up with the following links typed into Firefox. 50.199.57.14/cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123 and 50.199.57.14/cgi-bin/koha/opac-search.pl?q=ccl=su%3AGay%20men%20and%20su%3ASexual%20behavior&offset=100&sort_by=relevance_asc'"><script>prompt('Happy_Holidays')</script> Both of these scripts are executed and cause a pop up This looks similar to bug 11341 which was fixed in 3.14. We are running 3.18 on Xubuntu 14.04 LTS installed from the PPA. I noticed that in the patch at http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23313&action=diff there were a number of '|html %' entries which appear as '|url %' in 3.18. Is this a regression on bug 11341? Bob Ewart
Hi Bob, Thanks for reporting this bug. In the future, it would be better for you to file your bug at the community bugzilla - the large blue link here: http://koha-community.org/security/ As a general reminder for everyone, please don't post your found vulnerabilities to the public list. Security bugs should be reported at the link above. Koha security bugs are restricted viewing to the reporter, and the people listed who are in the security group, which corresponds with those who need to be involved in organising an out-of-sequence release to deal with serious security issues. Thanks again for reporting the issue and helping to make Koha better. Liz On 10/12/14 11:42, Bob Ewart wrote:
When our site was scanned for potential vulnerabilities...
Bob Ewart
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- -- Liz Rea Catalyst.Net Limited Level 6, Catalyst House, 150 Willis Street, Wellington. P.O Box 11053, Manners Street, Wellington 6142 GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7
* Liz Rea (liz@catalyst.net.nz) wrote:
Hi Bob,
Thanks for reporting this bug. In the future, it would be better for you to file your bug at the community bugzilla - the large blue link here: http://koha-community.org/security/
As a general reminder for everyone, please don't post your found vulnerabilities to the public list. Security bugs should be reported at the link above. Koha security bugs are restricted viewing to the reporter, and the people listed who are in the security group, which corresponds with those who need to be involved in organising an out-of-sequence release to deal with serious security issues.
Thanks again for reporting the issue and helping to make Koha better.
Hi All I have reported the bug, and I am just uploading a couple of patches, (one for master/3.18 which is bootstrap) and one for 3.16 which has the change for bootstrap and prog Chris -- Chris Cormack Catalyst IT Ltd. +64 4 803 2238 PO Box 11-053, Manners St, Wellington 6142, New Zealand
Chris Cormack schreef op wo 10-12-2014 om 12:46 [+1300]:
I have reported the bug, and I am just uploading a couple of patches, (one for master/3.18 which is bootstrap) and one for 3.16 which has the change for bootstrap and prog
Packages for 3.18.01 have been released to the 'squeeze' repository. The 'oldstable' repository will get 3.16 when an update for that have been released. Note that it currently contains 3.14.11, so this will also be an upgrade for that (which I'd rather didn't happen, but I was waiting for 3.16.05 anyway before updating it.) I expect this to happen tomorrow, though I'll be conferencing then so I can't promise exactly when it'll happen. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
Could someone let us know what bug number this is? Thanks On Wed, Dec 10, 2014 at 5:01 AM, Robin Sheat <robin@catalyst.net.nz> wrote:
Chris Cormack schreef op wo 10-12-2014 om 12:46 [+1300]:
I have reported the bug, and I am just uploading a couple of patches, (one for master/3.18 which is bootstrap) and one for 3.16 which has the change for bootstrap and prog
Packages for 3.18.01 have been released to the 'squeeze' repository.
The 'oldstable' repository will get 3.16 when an update for that have been released. Note that it currently contains 3.14.11, so this will also be an upgrade for that (which I'd rather didn't happen, but I was waiting for 3.16.05 anyway before updating it.)
I expect this to happen tomorrow, though I'll be conferencing then so I can't promise exactly when it'll happen.
-- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52)
Hi Elaine It's in the 3.18.01 release notes http://koha-community.org/koha-3-18-01-security-release/ You won't be able to see it in bugzilla the bug is still private until a 3.16.x release is done but you can cherry pick the code from the 3.18.x branch in git Chris On 11 December 2014 6:33:33 am NZDT, Elaine Bradtke <eb@efdss.org> wrote:
Could someone let us know what bug number this is? Thanks
On Wed, Dec 10, 2014 at 5:01 AM, Robin Sheat <robin@catalyst.net.nz> wrote:
I have reported the bug, and I am just uploading a couple of
Chris Cormack schreef op wo 10-12-2014 om 12:46 [+1300]: patches,
(one for master/3.18 which is bootstrap) and one for 3.16 which has the change for bootstrap and prog
Packages for 3.18.01 have been released to the 'squeeze' repository.
The 'oldstable' repository will get 3.16 when an update for that have been released. Note that it currently contains 3.14.11, so this will also be an upgrade for that (which I'd rather didn't happen, but I was waiting for 3.16.05 anyway before updating it.)
I expect this to happen tomorrow, though I'll be conferencing then so I can't promise exactly when it'll happen.
-- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel +44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -------------------------------------------------------------------------- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --------------------------------------------------------------------------- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Op 10/12/14 om 18:01 schreef Robin Sheat:
I expect this to happen tomorrow, though I'll be conferencing then so I can't promise exactly when it'll happen.
3.16.05 packages are now available in the 'oldstable' repo. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
participants (5)
-
Bob Ewart -
Chris Cormack -
Elaine Bradtke -
Liz Rea -
Robin Sheat