[Koha] Cross-site scripting vulnerability - Koha 16.11

Tom Hanstra hanstra at nd.edu
Thu Sep 14 06:35:15 NZST 2017


We received email from our campus InfoSec group that a portion of our Koha
site was vulnerable to cross-site scripting attacks. Below is the gist of
the email we received:

GET:  https://[our server]cgi-bin/koha/opac-shelve
s.pl?op=list&category=%22/%3E%3Cimg%20src=x%20onerror=%
22alert(%27Doh!%20Insert%20Hax%20Here.%27)%22%20/%3E%3C!%E2%80%94

ATTACK DETAILS:
This page is vulnerable to Cross-site scripting attacks.

Cross-site scripting attacks, in general, are an issue because
they are enabling attacks. Specially-crafted malicious URLs can
steal authentication tokens/cookies when a logged-in user visits them,
giving the attacker full access to that user's account in the application.
Reflected XSS attacks, in particular, are a concern as they can be used to
socially engineer a user into clicking on what appears to be a legitimate
URL.

Please also consider the following:

- Web application security testing should be performed regularly,
  especially for any public web applications. This includes
  tracking application inventory, general code review and vulnerability
  assessments using web application security testing tools.

- All input received by the web server should be checked before
  it is processed. The best method is to remove all unwanted input and
  accept only expected input. For example, ensure angle brackets are
  not allowed in any input to any Web page fields. Additionally, no
  syntactic input should be allowed. Syntactic input can come from
  databases, other servers, etc. All input into a Web application must
  be filtered to ensure the delivery of clean content to individuals using
  your service.

- Other References:

  OWASP Guide to Building Secure Web Applications and Web Services
  https://www.owasp.org/index.php/Category:OWASP_Guide_Project
--------------

Does anyone know if there is a newer version of Koha which addresses these
issues?

Thanks,
Tom

-- 
*Tom Hanstra*
*Sr. Systems Administrator*
hanstra at nd.edu

<http://library.nd.edu/>


More information about the Koha mailing list