[Koha] Cross-site scripting vulnerability - Koha 16.11

Jonathan Druart jonathan.druart at bugs.koha-community.org
Thu Sep 14 06:51:19 NZST 2017 

Please open a bug report in the "Koha security" project
https://bugs.koha-community.org/bugzilla3/enter_bug.cgi
That way we can keep the vulnerability hidden until a fix is published

On Wed, 13 Sep 2017 at 15:35 Tom Hanstra <hanstra at nd.edu> wrote:

> We received email from our campus InfoSec group that a portion of our Koha
> site was vulnerable to cross-site scripting attacks. Below is the gist of
> the email we received:
>
> GET:  https://[our server]cgi-bin/koha/opac-shelve
> s.pl?op=list&category=%22/%3E%3Cimg%20src=x%20onerror=%
> 22alert(%27Doh!%20Insert%20Hax%20Here.%27)%22%20/%3E%3C!%E2%80%94
>
> ATTACK DETAILS:
> This page is vulnerable to Cross-site scripting attacks.
>
> Cross-site scripting attacks, in general, are an issue because
> they are enabling attacks. Specially-crafted malicious URLs can
> steal authentication tokens/cookies when a logged-in user visits them,
> giving the attacker full access to that user's account in the application.
> Reflected XSS attacks, in particular, are a concern as they can be used to
> socially engineer a user into clicking on what appears to be a legitimate
> URL.
>
> Please also consider the following:
>
> - Web application security testing should be performed regularly,
>   especially for any public web applications. This includes
>   tracking application inventory, general code review and vulnerability
>   assessments using web application security testing tools.
>
> - All input received by the web server should be checked before
>   it is processed. The best method is to remove all unwanted input and
>   accept only expected input. For example, ensure angle brackets are
>   not allowed in any input to any Web page fields. Additionally, no
>   syntactic input should be allowed. Syntactic input can come from
>   databases, other servers, etc. All input into a Web application must
>   be filtered to ensure the delivery of clean content to individuals using
>   your service.
>
> - Other References:
>
>   OWASP Guide to Building Secure Web Applications and Web Services
>   https://www.owasp.org/index.php/Category:OWASP_Guide_Project
> --------------
>
> Does anyone know if there is a newer version of Koha which addresses these
> issues?
>
> Thanks,
> Tom
>
> --
> *Tom Hanstra*
> *Sr. Systems Administrator*
> hanstra at nd.edu
>
> <http://library.nd.edu/>
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>

More information about the Koha mailing list