[Koha] XSS Vulnerabilities in Koha

Andrew Yager andrew at rwts.com.au
Thu Aug 30 20:22:19 NZST 2007


First let me say that this is not a very serious security issue, so  
please don't freak out.

We've just done an audit of Koha (OPAC and Intranet) and have found a  
number of XSS vulnerabilities in the code.  This allows a malicious  
attacker, with a carefully crafted web site to potentially trick your  
users into providing sensitive information to a site other than yours  
(e.g. usernames and passwords).

Is anyone aware of patches for these currently in circulation? If  
not, I'll have a look at the problems and attempt to address them and  
then release a patch.


Some info about XSS:


Andrew Yager, Managing Director (BCompSc MACS)
Real World Technology Solutions Pty Ltd
ph: 1300 798 718 or (02) 9563 4840
fax: (02) 9563 4848 mob: 0405 152 568

Real World Technology Solutions is an Authorised Apple Reseller,  
Telstra Dealer, Microsoft Small Business Solutions Specialist, Cisco  
Registered Partner and Member of Open Source Industry Australia.

More information about the Koha mailing list