[Koha] Cross site scripting
Chris Cormack
chris at bigballofwax.co.nz
Wed Nov 27 05:44:15 NZDT 2013
On 27 November 2013 00:54, <araik at flib.sci.am> wrote:
> Dear community,
> In our Koha version 3.12.01 which has worked on Ubuntu 12.04 we have some
> problems.
> Recently our Web provider checked Koha security through "Acunetix" Web
> application security programm and founded some high-severity type
> vulnerabilities.
The good news is, it isn't easily exploitable as the problem only
occurs on the rss feed page, and shows up as
<opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage>
Which most browsers, feed readers, etc will throw away.
However there is no reason we shouldn't be escaping that input anyway.
There is a patch for this at
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11307
The bigger issue for you is that in July 2013, a security release was
released, fixing a more serious issue. You should upgrade your 3.12.01
to at least 3.12.03 to get the fix for that (unless you have patched
manually)
http://koha-community.org/security-release-july-2013/
Chris
More information about the Koha
mailing list