[Koha] XSS Vulnerabilities in Koha

Chris Cormack crc at liblime.com
Thu Aug 30 20:55:55 NZST 2007

On 30/08/2007, at 8:22 PM, Andrew Yager wrote:

> Hi,
> First let me say that this is not a very serious security issue, so  
> please don't freak out.
> We've just done an audit of Koha (OPAC and Intranet) and have found  
> a number of XSS vulnerabilities in the code.  This allows a  
> malicious attacker, with a carefully crafted web site to  
> potentially trick your users into providing sensitive information  
> to a site other than yours (e.g. usernames and passwords).
> Is anyone aware of patches for these currently in circulation? If  
> not, I'll have a look at the problems and attempt to address them  
> and then release a patch.
Hi Andrew

We did fix this up a while back for the opac, but overtime  
vulnerabilities might have crept back in. I'm not too worried about  
the intranet side, if someone malicious has access to that, you have  
bigger problems than xss :-) But Id certainly like to see patches for  
the opac.

What you might like to do is get the latest version from git

This is the code that will be 3.0.

If you want to discuss this more, it would probably be best on the  
koha-devel list, which I'd encourage you to join if you haven't already.

Chris Cormack                            chris.cormack at liblime.com
VP Research and Development                        www.liblime.com
LibLime                                             +64 21 542 131

More information about the Koha mailing list