[Koha] Cross-site scripting vulnerability - Koha 16.11
Tom Hanstra
hanstra at nd.edu
Thu Sep 14 06:35:15 NZST 2017
We received email from our campus InfoSec group that a portion of our Koha
site was vulnerable to cross-site scripting attacks. Below is the gist of
the email we received:
GET: https://[our server]cgi-bin/koha/opac-shelve
s.pl?op=list&category=%22/%3E%3Cimg%20src=x%20onerror=%
22alert(%27Doh!%20Insert%20Hax%20Here.%27)%22%20/%3E%3C!%E2%80%94
ATTACK DETAILS:
This page is vulnerable to Cross-site scripting attacks.
Cross-site scripting attacks, in general, are an issue because
they are enabling attacks. Specially-crafted malicious URLs can
steal authentication tokens/cookies when a logged-in user visits them,
giving the attacker full access to that user's account in the application.
Reflected XSS attacks, in particular, are a concern as they can be used to
socially engineer a user into clicking on what appears to be a legitimate
URL.
Please also consider the following:
- Web application security testing should be performed regularly,
especially for any public web applications. This includes
tracking application inventory, general code review and vulnerability
assessments using web application security testing tools.
- All input received by the web server should be checked before
it is processed. The best method is to remove all unwanted input and
accept only expected input. For example, ensure angle brackets are
not allowed in any input to any Web page fields. Additionally, no
syntactic input should be allowed. Syntactic input can come from
databases, other servers, etc. All input into a Web application must
be filtered to ensure the delivery of clean content to individuals using
your service.
- Other References:
OWASP Guide to Building Secure Web Applications and Web Services
https://www.owasp.org/index.php/Category:OWASP_Guide_Project
--------------
Does anyone know if there is a newer version of Koha which addresses these
issues?
Thanks,
Tom
--
*Tom Hanstra*
*Sr. Systems Administrator*
hanstra at nd.edu
<http://library.nd.edu/>
More information about the Koha
mailing list