Bug 14416: Stored XSS vulnerability

The affected page in the OPAC client is: http://testbox:9001/cgi-bin/koha/opac-shelves.pl the vulnerable parameter: addshelf The affected page in the STAFF client is: http://testbox:9002/cgi-bin/koha/virtualshelves/shelves.pl To test: 1/ Create a shelf in the opac that contains some malicious js eg Bad stuff <script>alert('oh noes');</script> as the name 2/ Go to /cgi-bin/koha/virtualshelves/shelves.pl in the staff client Note the js is executed 3/ View http://192.168.2.18:8080/cgi-bin/koha/svc/virtualshelves/search?template_path=virtualshelves/tables/shelves_results.tt&type=1 Notice the html is not escaped 4/ Apply patch 5/ View http://192.168.2.18:8080/cgi-bin/koha/svc/virtualshelves/search?template_path=virtualshelves/tables/shelves_results.tt&type=1 Notice the html is now escaped 6/ View /cgi-bin/koha/virtualshelves/shelves.pl - no more exploit Signed-off-by: Jonathan Druart <jonathan.druart@koha-community.org> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
2015-06-19 10:54:40 +12:00 · 2015-06-19 10:54:40 +12:00 · 703a928b9d
commit 703a928b9d
parent a80d188c83
1 changed files with 1 additions and 1 deletions
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/tables/shelves_results.tt
@ -9,7 +9,7 @@
                "dt_type":
                    "[% data.type %]",
                "dt_shelfname":
-                    "<a href='/cgi-bin/koha/virtualshelves/shelves.pl?viewshelf=[% data.shelfnumber %]'>[% data.shelfname %]</a>",
+                    "<a href='/cgi-bin/koha/virtualshelves/shelves.pl?viewshelf=[% data.shelfnumber %]'>[% data.shelfname | html%]</a>",
                "dt_count":
                    "[% data.count %] item(s)",
                "dt_owner":