On 27 November 2013 00:54, <ar...@flib.sci.am> wrote: > Dear community, > In our Koha version 3.12.01 which has worked on Ubuntu 12.04 we have some > problems. > Recently our Web provider checked Koha security through "Acunetix" Web > application security programm and founded some high-severity type > vulnerabilities.
The good news is, it isn't easily exploitable as the problem only occurs on the rss feed page, and shows up as <opensearch:itemsPerPage>50"'<h1>test</h1></opensearch:itemsPerPage> Which most browsers, feed readers, etc will throw away. However there is no reason we shouldn't be escaping that input anyway. There is a patch for this at http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11307 The bigger issue for you is that in July 2013, a security release was released, fixing a more serious issue. You should upgrade your 3.12.01 to at least 3.12.03 to get the fix for that (unless you have patched manually) http://koha-community.org/security-release-july-2013/ Chris _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha