[Koha] Potential XSS attack vector in opac
When our site was scanned for potential vulnerabilities, they came up
with the following links typed into Firefox.
50.199.57.14/cgi-bin/koha/opac-search.pl?q=123&sort_by='">prompt('Happy_Holidays')&limit=123
and
50.199.57.14/cgi-bin/koha/opac-search.pl?q=ccl=su%3AGay%20men%20and%20su%3ASexual%20behavior&offset=100&sort_by=relevance_asc'">prompt('Happy_Holidays')
Both of these scripts are executed and cause a pop up
This looks similar to bug 11341 which was fixed in 3.14. We are running
3.18 on Xubuntu 14.04 LTS installed from the PPA. I noticed that in the
patch at
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23313&action=diff
there were a number of '|html %' entries which appear as '|url %' in 3.18.
Is this a regression on bug 11341?
Bob Ewart
___
Koha mailing list http://koha-community.org
Koha@lists.katipo.co.nz
http://lists.katipo.co.nz/mailman/listinfo/koha
Re: [Koha] Potential XSS attack vector in opac
Hi Bob, Thanks for reporting this bug. In the future, it would be better for you to file your bug at the community bugzilla - the large blue link here: http://koha-community.org/security/ As a general reminder for everyone, please don't post your found vulnerabilities to the public list. Security bugs should be reported at the link above. Koha security bugs are restricted viewing to the reporter, and the people listed who are in the security group, which corresponds with those who need to be involved in organising an out-of-sequence release to deal with serious security issues. Thanks again for reporting the issue and helping to make Koha better. Liz On 10/12/14 11:42, Bob Ewart wrote: > When our site was scanned for potential vulnerabilities... > > > Bob Ewart > > > > > ___ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz > http://lists.katipo.co.nz/mailman/listinfo/koha -- -- Liz Rea Catalyst.Net Limited Level 6, Catalyst House, 150 Willis Street, Wellington. P.O Box 11053, Manners Street, Wellington 6142 GPG: B149 A443 6B01 7386 C2C7 F481 B6c2 A49D 3726 38B7 ___ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Re: [Koha] Potential XSS attack vector in opac
* Liz Rea (l...@catalyst.net.nz) wrote: > Hi Bob, > > Thanks for reporting this bug. In the future, it would be better for you > to file your bug at the community bugzilla - the large blue link here: > http://koha-community.org/security/ > > As a general reminder for everyone, please don't post your found > vulnerabilities to the public list. Security bugs should be reported at > the link above. Koha security bugs are restricted viewing to the > reporter, and the people listed who are in the security group, which > corresponds with those who need to be involved in organising an > out-of-sequence release to deal with serious security issues. > > Thanks again for reporting the issue and helping to make Koha better. > Hi All I have reported the bug, and I am just uploading a couple of patches, (one for master/3.18 which is bootstrap) and one for 3.16 which has the change for bootstrap and prog Chris -- Chris Cormack Catalyst IT Ltd. +64 4 803 2238 PO Box 11-053, Manners St, Wellington 6142, New Zealand ___ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Re: [Koha] Potential XSS attack vector in opac
Chris Cormack schreef op wo 10-12-2014 om 12:46 [+1300]: > I have reported the bug, and I am just uploading a couple of patches, > (one for master/3.18 which is bootstrap) and one for 3.16 which has > the change for bootstrap and prog Packages for 3.18.01 have been released to the 'squeeze' repository. The 'oldstable' repository will get 3.16 when an update for that have been released. Note that it currently contains 3.14.11, so this will also be an upgrade for that (which I'd rather didn't happen, but I was waiting for 3.16.05 anyway before updating it.) I expect this to happen tomorrow, though I'll be conferencing then so I can't promise exactly when it'll happen. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF ___ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Re: [Koha] Potential XSS attack vector in opac
Could someone let us know what bug number this is? Thanks On Wed, Dec 10, 2014 at 5:01 AM, Robin Sheat wrote: > Chris Cormack schreef op wo 10-12-2014 om 12:46 [+1300]: > > I have reported the bug, and I am just uploading a couple of patches, > > (one for master/3.18 which is bootstrap) and one for 3.16 which has > > the change for bootstrap and prog > > Packages for 3.18.01 have been released to the 'squeeze' repository. > > The 'oldstable' repository will get 3.16 when an update for that have > been released. Note that it currently contains 3.14.11, so this will > also be an upgrade for that (which I'd rather didn't happen, but I was > waiting for 3.16.05 anyway before updating it.) > > I expect this to happen tomorrow, though I'll be conferencing then so I > can't promise exactly when it'll happen. > > -- > Robin Sheat > Catalyst IT Ltd. > ✆ +64 4 803 2204 > GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF > > ___ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz > http://lists.katipo.co.nz/mailman/listinfo/koha > -- Elaine Bradtke Data Wrangler VWML English Folk Dance and Song Society | http://www.efdss.org Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY Tel+44 (0) 20 7485 2206 (This number is for the English Folk Dance and Song Society in London, England. If you wish to phone me personally, send an e-mail first. I work off site) -- Registered Company No. 297142 Charity Registered in England and Wales No. 305999 --- "Writing about music is like dancing about architecture" --Elvis Costello (Musician magazine No. 60 (October 1983), p. 52) ___ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Re: [Koha] Potential XSS attack vector in opac
Hi Elaine It's in the 3.18.01 release notes http://koha-community.org/koha-3-18-01-security-release/ You won't be able to see it in bugzilla the bug is still private until a 3.16.x release is done but you can cherry pick the code from the 3.18.x branch in git Chris On 11 December 2014 6:33:33 am NZDT, Elaine Bradtke wrote: >Could someone let us know what bug number this is? >Thanks > > >On Wed, Dec 10, 2014 at 5:01 AM, Robin Sheat >wrote: > >> Chris Cormack schreef op wo 10-12-2014 om 12:46 [+1300]: >> > I have reported the bug, and I am just uploading a couple of >patches, >> > (one for master/3.18 which is bootstrap) and one for 3.16 which has >> > the change for bootstrap and prog >> >> Packages for 3.18.01 have been released to the 'squeeze' repository. >> >> The 'oldstable' repository will get 3.16 when an update for that have >> been released. Note that it currently contains 3.14.11, so this will >> also be an upgrade for that (which I'd rather didn't happen, but I >was >> waiting for 3.16.05 anyway before updating it.) >> >> I expect this to happen tomorrow, though I'll be conferencing then so >I >> can't promise exactly when it'll happen. >> >> -- >> Robin Sheat >> Catalyst IT Ltd. >> ✆ +64 4 803 2204 >> GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF >> >> ___ >> Koha mailing list http://koha-community.org >> Koha@lists.katipo.co.nz >> http://lists.katipo.co.nz/mailman/listinfo/koha >> > > > >-- >Elaine Bradtke >Data Wrangler >VWML >English Folk Dance and Song Society | http://www.efdss.org >Cecil Sharp House, 2 Regent's Park Road, London NW1 7AY >Tel+44 (0) 20 7485 2206 (This number is for the English Folk Dance >and >Song Society in London, England. If you wish to phone me personally, >send >an e-mail first. I work off site) >-- >Registered Company No. 297142 >Charity Registered in England and Wales No. 305999 >--- >"Writing about music is like dancing about architecture" >--Elvis Costello (Musician magazine No. 60 (October 1983), p. 52) >___ >Koha mailing list http://koha-community.org >Koha@lists.katipo.co.nz >http://lists.katipo.co.nz/mailman/listinfo/koha -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
Re: [Koha] Potential XSS attack vector in opac
Op 10/12/14 om 18:01 schreef Robin Sheat: > I expect this to happen tomorrow, though I'll be conferencing then so I > can't promise exactly when it'll happen. 3.16.05 packages are now available in the 'oldstable' repo. -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D ___ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz http://lists.katipo.co.nz/mailman/listinfo/koha
