[Koha] Potential XSS attack vector in opac
Bob Ewart
bob-ewart at bobsown.com
Wed Dec 10 11:42:24 NZDT 2014
When our site was scanned for potential vulnerabilities, they came up
with the following links typed into Firefox.
50.199.57.14/cgi-bin/koha/opac-search.pl?q=123&sort_by='"><script>prompt('Happy_Holidays')</script>&limit=123
and
50.199.57.14/cgi-bin/koha/opac-search.pl?q=ccl=su%3AGay%20men%20and%20su%3ASexual%20behavior&offset=100&sort_by=relevance_asc'"><script>prompt('Happy_Holidays')</script>
Both of these scripts are executed and cause a pop up
This looks similar to bug 11341 which was fixed in 3.14. We are running
3.18 on Xubuntu 14.04 LTS installed from the PPA. I noticed that in the
patch at
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23313&action=diff
there were a number of '|html %' entries which appear as '|url %' in 3.18.
Is this a regression on bug 11341?
Bob Ewart
More information about the Koha
mailing list