[Koha] XSS Vulnerabilities in Koha
Andrew Yager
andrew at rwts.com.au
Thu Aug 30 20:22:19 NZST 2007
Hi,
First let me say that this is not a very serious security issue, so
please don't freak out.
We've just done an audit of Koha (OPAC and Intranet) and have found a
number of XSS vulnerabilities in the code. This allows a malicious
attacker, with a carefully crafted web site to potentially trick your
users into providing sensitive information to a site other than yours
(e.g. usernames and passwords).
Is anyone aware of patches for these currently in circulation? If
not, I'll have a look at the problems and attempt to address them and
then release a patch.
Thanks,
Andrew
Some info about XSS:
http://sandsprite.com/Sleuth/papers/RealWorld_XSS_1.html
http://www.cert.org/tech_tips/malicious_code_FAQ.html
http://www.cgisecurity.com/articles/xss-faq.shtml
_________________________
Andrew Yager, Managing Director (BCompSc MACS)
Real World Technology Solutions Pty Ltd
ph: 1300 798 718 or (02) 9563 4840
fax: (02) 9563 4848 mob: 0405 152 568
http://www.rwts.com.au/
_________________________
Real World Technology Solutions is an Authorised Apple Reseller,
Telstra Dealer, Microsoft Small Business Solutions Specialist, Cisco
Registered Partner and Member of Open Source Industry Australia.
More information about the Koha
mailing list