[Koha] Potential XSS attack vector in opac

Bob Ewart bob-ewart at bobsown.com
Wed Dec 10 11:42:24 NZDT 2014


When our site was scanned for potential vulnerabilities, they came up 
with the following links typed into Firefox.

50.199.57.14/cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123

and

50.199.57.14/cgi-bin/koha/opac-search.pl?q=ccl=su%3AGay%20men%20and%20su%3ASexual%20behavior&offset=100&sort_by=relevance_asc'"><script>prompt('Happy_Holidays')</script>

Both of these scripts are executed and cause a pop up

This looks similar to bug 11341 which was fixed in 3.14.  We are running 
3.18 on Xubuntu 14.04 LTS installed from the PPA.  I noticed that in the 
patch at 
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23313&action=diff 
there were a number of '|html %' entries which appear as '|url %' in 3.18.

Is this a regression on bug 11341?

Bob Ewart






More information about the Koha mailing list