Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Main Koha release repository https://koha-community.org
26686 commits 35 branches 616 tags 1.8 GiB
Perl 45.6%
JavaScript 39.3%
HTML 7.2%
XSLT 3.7%
Vue 1.4%
Other 2.3%
Find a file
Jonathan Druart 779fa7c6da Bug 16591: Fix CSRF in opac-memberentry 
If an attacker can get an authenticated Koha user to visit their page
with the code below, they can update the victim's details to arbitrary
values.

Test plan:

Trigger
/cgi-bin/koha/opac-memberentry.pl?action=update&borrower_B_city=HACKED&borrower_firstname=KOHA&borrower_surname=test

=> Without this patch, the update will be done (or modification
request)
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Do some regression tests with this patch applied (Update patron infos)

QA note: I am not sure it's useful to create a digest of the DB pass,
but just in case...

Reported by Alex Middleton at Dionach.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-06-24 11:55:15 +00:00
acqui
admin
api/v1
authorities
basket Bug 16447: Remove occurrence of the borrow permission which does no longer exist 2016-05-05 21:28:14 +00:00
C4 Bug 16591: Fix CSRF in opac-memberentry 2016-06-24 11:55:15 +00:00
catalogue Bug 16593: Do not allow patrons to delete search history of others patrons 2016-06-24 11:47:29 +00:00
cataloguing
circ Bug 16527: Restore sticky due date behavior 2016-06-24 11:46:35 +00:00
course_reserves
debian
docs
errors
etc
install_misc
installer Bug 11490 - DBRev 16.06.00.003 2016-06-24 11:53:02 +00:00
Koha
koha-tmpl Bug 16591: Fix CSRF in opac-memberentry 2016-06-24 11:55:15 +00:00
labels
members
misc Bug 16672: Fix typo unqiue vs unique 2016-06-17 15:45:54 +00:00
offline_circ Bug 15764: Fix timestamp sent by KOCT 2016-02-23 20:53:18 +00:00
opac Bug 16591: Fix CSRF in opac-memberentry 2016-06-24 11:55:15 +00:00
OpenILS
patron_lists
patroncards Bug 16747 - Patron card creator broken with version 16.05 2016-06-21 20:48:50 +00:00
plugins
reports Bug 16594: Fix obvious QA issues from bug 11371 2016-06-17 14:53:45 +00:00
reserve
reviews Bug 14779: Cannot paginate reviews 2015-09-07 11:38:26 -03:00
rotating_collections
selenium
serials
services
skel
sms
suggestion Bug 16154: CGI->multi_param - Declare a list 2016-04-26 23:16:42 +00:00
svc
t Bug 16534: Add tests for AddIssue 2016-06-24 11:45:00 +00:00
tags
test
tmp/modified_authorities
tools Bug 11490: Split MaxItemsForBatch into 2 prefs to clarify things 2016-06-24 11:50:27 +00:00
virtualshelves
xt Bug 16174: (QA followup) Fix remaining tests 2016-04-01 19:11:33 +00:00
.editorconfig
.htaccess Fix file permissions: if it is not a script, it should not be executable. 2010-04-16 00:40:34 -04:00
.mailmap
about.pl
changelanguage.pl
edithelp.pl
fix-perl-path.PL
help.pl
INSTALL
install-CPAN.pl
INSTALL.debian
INSTALL.fedora7
INSTALL.opensuse
INSTALL.ubuntu
Koha.pm Bug 11490 - DBRev 16.06.00.003 2016-06-24 11:53:02 +00:00
koha_perl_deps.pl
kohaversion.pl
LICENSE
mainpage.pl
Makefile.PL
MANIFEST.SKIP Bug 9546 : Updating make manifest tardist 2013-02-06 23:54:46 -05:00
README
README.md
README.robots
rewrite-config.PL

README.md

Koha is a free software integrated library system (ILS).

Koha is distributed under the GNU GPL version 3 or later.

Note: This is a synced mirror of the official Koha repo.

Note: Koha does not accept pull requests from git hosting sites.

Note: This project has its own bug tracker, to report a bug or submit a patch visit http://bugs.koha-comminity.org.

For guidelines on submitting patches for Koha please visit https://wiki.koha-community.org/wiki/SubmitingAPatch

The developers handbook can be found at https://wiki.koha-community.org/wiki/Developer_handbook

http://koha-community.org/

Koha Logo