[Koha] XSS Vulnerabilities in Koha
Chris Cormack
crc at liblime.com
Thu Aug 30 20:55:55 NZST 2007
On 30/08/2007, at 8:22 PM, Andrew Yager wrote:
> Hi,
>
> First let me say that this is not a very serious security issue, so
> please don't freak out.
>
> We've just done an audit of Koha (OPAC and Intranet) and have found
> a number of XSS vulnerabilities in the code. This allows a
> malicious attacker, with a carefully crafted web site to
> potentially trick your users into providing sensitive information
> to a site other than yours (e.g. usernames and passwords).
>
> Is anyone aware of patches for these currently in circulation? If
> not, I'll have a look at the problems and attempt to address them
> and then release a patch.
>
>
Hi Andrew
We did fix this up a while back for the opac, but overtime
vulnerabilities might have crept back in. I'm not too worried about
the intranet side, if someone malicious has access to that, you have
bigger problems than xss :-) But Id certainly like to see patches for
the opac.
What you might like to do is get the latest version from git
http://wiki.koha.org/doku.php?id=en:development:git_usage
This is the code that will be 3.0.
If you want to discuss this more, it would probably be best on the
koha-devel list, which I'd encourage you to join if you haven't already.
Chris
--
Chris Cormack chris.cormack at liblime.com
VP Research and Development www.liblime.com
LibLime +64 21 542 131
More information about the Koha
mailing list