Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/C4
History
Kyle Hall e75b17d28d Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl ) 
There appears to be a cross site scripting attack vulnerability in opac-authorities-home.pl, but may be accessible from any page using C4::Output::pagination_bar.

https://MYKOHA.LOCAL/cgi-bin/koha/opac-authorities-home.pl?and_or=and%27%22()%26%25%3Csad%3E%3CScRiPt%20%3Ealert(document.domain)%3C/ScRiPt%3E&authtypecode=CORPO_NAME&excluding=1&marclist=all&op=do_search&operator=contains&orderby=HeadingAsc&type=opac&value=1

Test Plan:
1) Use the URL above to show the XSS vulnerability exists
2) Apply this patch
3) Restart all the things!
4) Reload the page, no XSS vulnerability!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2022-07-25 14:21:14 +00:00
..
AuthoritiesMarc
Barcodes
ClassSortRoutine
ClassSplitRoutine Bug 28572: Remove C4::Debug 2021-06-22 12:04:32 +02:00
Creators
External
Form
Heading
ILSDI Bug 29924: Update ILSDI to be aware of expired passwords 2022-05-06 10:33:09 -10:00
Installer Bug 30731: Remove Readonly::XS::MAGIC_COOKIE 2022-06-10 15:18:51 +00:00
Labels
Linker
Members
OAI
Output
Patroncards
Reports
Search
Serials
SIP Bug 29755: Check each NoIssuesCharge separately 2022-05-06 15:58:13 -10:00
Utils Bug 29648: (QA follow-up) Minor POD fix 2022-04-27 11:20:45 -10:00
Accounts.pm
Acquisition.pm Bug 29844: Fix ->search occurrences 2022-02-09 15:36:23 -10:00
Auth.pm Bug 30842: 2FA - Allow at least one old TOTP 2022-06-10 15:01:07 +00:00
Auth_cas_servers.yaml.sample
Auth_with_cas.pm Bug 28417: Don't require C4::Auth_with_cas from opac-user if not needed 2021-11-03 15:40:52 +01:00
Auth_with_ldap.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Auth_with_shibboleth.pm
AuthoritiesMarc.pm Bug 30464: Make BatchUpdateAuthority update the index in one request 2022-05-05 11:17:36 -10:00
BackgroundJob.pm
Barcodes.pm
Biblio.pm Bug 30789: Improve performance of AddBiblio 2022-07-12 17:34:41 +00:00
Breeding.pm
Budgets.pm
Calendar.pm
Charset.pm
Circulation.pm Bug 30409: (QA follow-up) Avoid uninitialized variable warnings 2022-07-13 13:50:08 -06:00
ClassSortRoutine.pm
ClassSource.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
ClassSplitRoutine.pm
Context.pm Bug 30702: Fix Context.pm L785 warning on sessionID 2022-05-06 10:33:10 -10:00
Contract.pm
CourseReserves.pm
Creators.pm
Heading.pm
HoldsQueue.pm Bug 29346: Use fully qualified names for C4:Circulation routines in C4::HoldsQueue 2022-05-05 11:17:36 -10:00
HTML5Media.pm
ImportBatch.pm Bug 30778: Remove ModAuthInBatch 2022-07-12 15:28:15 +00:00
ImportExportFramework.pm Bug 13952: (follow-up) JS translatability, clean warns, other 2022-04-04 16:23:46 +02:00
InstallAuth.pm
Installer.pm
ItemCirculationAlertPreference.pm
Items.pm Bug 29719: Do not clear onloan value when not passed in MARC 2022-05-16 11:20:09 -10:00
Koha.pm Bug 29883: avoid uninitialized value warn in GetAuthorisedValues sub 2022-06-06 15:31:49 +00:00
Labels.pm
Languages.pm Bug 15067: Follow up to fix sorting 2021-08-04 14:06:43 +02:00
Letters.pm Bug 30781: Fix warning in GetPreparedLetter 2022-06-10 16:33:43 +00:00
Linker.pm
Log.pm
MarcModificationTemplates.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Matcher.pm
Members.pm
Message.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Output.pm Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl ) 2022-07-25 14:21:14 +00:00
Overdues.pm Bug 30788: Fix warning in Overdues.pm when fine is empty in circ rules 2022-06-10 14:53:54 +00:00
Patroncards.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Record.pm
Reports.pm
Reserves.pm Bug 12630: Rebase tests and cover CheckReserves 2022-07-15 17:37:46 +00:00
Ris.pm
RotatingCollections.pm
Scheduler.pm
Scrubber.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Search.pm Bug 30528: Process limits before handling CCL query 2022-06-06 15:42:51 +00:00
Serials.pm Bug 23352: Set default collection code when creating subscription 2022-05-10 15:17:17 -10:00
Service.pm
ShelfBrowser.pm
SMS.pm Bug 27673: Replace YAML with YAML::XS 2021-02-16 14:54:50 +01:00
SocialData.pm
Stats.pm
Suggestions.pm
Tags.pm
Templates.pm Bug 26019: Koha should set SameSite attribute on cookies 2022-04-13 15:55:38 +02:00
TmplToken.pm
TmplTokenType.pm
TTParser.pm
UsageStats.pm Bug 30237: Replace AutoEmailOpacUser with AutoEmailNewUser 2022-04-20 09:03:39 -10:00
XISBN.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
XSLT.pm Bug 30291: Changes to controller scripts 2022-05-05 11:17:36 -10:00