Hi, First let me say that this is not a very serious security issue, so please don't freak out. We've just done an audit of Koha (OPAC and Intranet) and have found a number of XSS vulnerabilities in the code. This allows a malicious attacker, with a carefully crafted web site to potentially trick your users into providing sensitive information to a site other than yours (e.g. usernames and passwords). Is anyone aware of patches for these currently in circulation? If not, I'll have a look at the problems and attempt to address them and then release a patch. Thanks, Andrew Some info about XSS: http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html http://www.cert.org/tech_tips/malicious_code_FAQ.html http://www.cgisecurity.com/articles/xss-faq.shtml _________________________ Andrew Yager, Managing Director (BCompSc MACS) Real World Technology Solutions Pty Ltd ph: 1300 798 718 or (02) 9563 4840 fax: (02) 9563 4848 mob: 0405 152 568 http://www.rwts.com.au/ _________________________ Real World Technology Solutions is an Authorised Apple Reseller, Telstra Dealer, Microsoft Small Business Solutions Specialist, Cisco Registered Partner and Member of Open Source Industry Australia.
On 30/08/2007, at 8:22 PM, Andrew Yager wrote:
Hi,
First let me say that this is not a very serious security issue, so please don't freak out.
We've just done an audit of Koha (OPAC and Intranet) and have found a number of XSS vulnerabilities in the code. This allows a malicious attacker, with a carefully crafted web site to potentially trick your users into providing sensitive information to a site other than yours (e.g. usernames and passwords).
Is anyone aware of patches for these currently in circulation? If not, I'll have a look at the problems and attempt to address them and then release a patch.
Hi Andrew We did fix this up a while back for the opac, but overtime vulnerabilities might have crept back in. I'm not too worried about the intranet side, if someone malicious has access to that, you have bigger problems than xss :-) But Id certainly like to see patches for the opac. What you might like to do is get the latest version from git http://wiki.koha.org/doku.php?id=en:development:git_usage This is the code that will be 3.0. If you want to discuss this more, it would probably be best on the koha-devel list, which I'd encourage you to join if you haven't already. Chris -- Chris Cormack chris.cormack@liblime.com VP Research and Development www.liblime.com LibLime +64 21 542 131
participants (2)
-
Andrew Yager -
Chris Cormack