Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/C4
History
Kyle Hall 866d10d416
Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl ) 
There appears to be a cross site scripting attack vulnerability in opac-authorities-home.pl, but may be accessible from any page using C4::Output::pagination_bar.

https://MYKOHA.LOCAL/cgi-bin/koha/opac-authorities-home.pl?and_or=and%27%22()%26%25%3Csad%3E%3CScRiPt%20%3Ealert(document.domain)%3C/ScRiPt%3E&authtypecode=CORPO_NAME&excluding=1&marclist=all&op=do_search&operator=contains&orderby=HeadingAsc&type=opac&value=1

Test Plan:
1) Use the URL above to show the XSS vulnerability exists
2) Apply this patch
3) Restart all the things!
4) Reload the page, no XSS vulnerability!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2022-07-25 11:18:11 -03:00
..
AuthoritiesMarc
Barcodes
ClassSortRoutine
ClassSplitRoutine
Creators
External
Form
Heading
ILSDI Bug 29697: Reintroduce wrongly removed import 2022-07-25 09:30:39 -03:00
Installer Bug 30731: Remove Readonly::XS::MAGIC_COOKIE 2022-06-01 16:15:26 -03:00
Labels Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
Linker
Members
OAI Bug 29697: Use flag embed_items 2022-07-22 15:24:11 -03:00
Output
Patroncards
Reports
Search
Serials
SIP Bug 31202: Don't remove optional SIP fields with a value of "0" 2022-07-21 15:55:56 -03:00
Utils
Accounts.pm Bug 28854: (follow-up) Use Koha::Item->itemtype introduced with bug 20469 2022-07-13 10:35:46 -03:00
Acquisition.pm Bug 27045: (follow-up) Fix delimiter in header rows 2022-07-20 11:50:41 -03:00
Auth.pm Bug 30842: 2FA - Allow at least one old TOTP 2022-06-01 16:14:42 -03:00
Auth_cas_servers.yaml.sample
Auth_with_cas.pm
Auth_with_ldap.pm Bug 17600: Standardize our EXPORT_OK 2021-07-16 08:58:47 +02:00
Auth_with_shibboleth.pm
AuthoritiesMarc.pm Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
BackgroundJob.pm
Barcodes.pm
Biblio.pm Bug 29697: Deal with the degraded view in detail.pl 2022-07-22 15:24:12 -03:00
Breeding.pm Bug 30813: (QA follow-up) Adjust three use statements 2022-06-08 11:40:32 -03:00
Budgets.pm
Calendar.pm
Charset.pm Bug 18984: Remove NORMARC support 2021-10-07 15:36:40 +02:00
Circulation.pm Bug 28854: Update circulation functionality for bundles 2022-07-13 10:35:27 -03:00
ClassSortRoutine.pm Bug 29951: Fix EXPORT for C4::ClassS*Routine modules 2022-07-08 15:29:56 -03:00
ClassSource.pm Bug 29951: Fix EXPORT for C4::ClassS*Routine modules 2022-07-08 15:29:56 -03:00
ClassSplitRoutine.pm Bug 29951: Fix EXPORT for C4::ClassS*Routine modules 2022-07-08 15:29:56 -03:00
Context.pm Bug 30702: Fix Context.pm L785 warning on sessionID 2022-05-06 10:33:10 -10:00
Contract.pm
CourseReserves.pm
Creators.pm
Heading.pm
HoldsQueue.pm Bug 29346: Use fully qualified names for C4:Circulation routines in C4::HoldsQueue 2022-05-05 11:17:36 -10:00
HTML5Media.pm
ImportBatch.pm Bug 29333: Fix encoding of imported UNIMARC authorities 2022-07-08 15:43:33 -03:00
ImportExportFramework.pm
InstallAuth.pm
Installer.pm Bug 30620: Add a warning about /*!VERSION lines in kohastructure 2022-05-02 11:22:57 -10:00
ItemCirculationAlertPreference.pm
Items.pm Bug 29697: Remove GetHiddenItemnumbers 2022-07-22 15:24:11 -03:00
Koha.pm Bug 29883: avoid uninitialized value warn in GetAuthorisedValues sub 2022-06-01 13:40:24 -03:00
Labels.pm Bug 21395: Make perlcritic happy 2020-06-29 12:37:02 +02:00
Languages.pm
Letters.pm Bug 30838: Set to_address to smsalertnumber at send 2022-07-22 14:44:27 -03:00
Linker.pm
Log.pm Bug 28692: (QA follow-up) Fix test for objects 2021-11-16 14:00:20 +01:00
MarcModificationTemplates.pm
Matcher.pm
Members.pm Bug 30275: Rename issues.renewals to issues.renewals_count 2022-07-05 09:45:55 -03:00
Message.pm Bug 30838: (QA follow-up) Add missing semicolon 2022-07-22 14:45:59 -03:00
Output.pm Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl ) 2022-07-25 11:18:11 -03:00
Overdues.pm Bug 24865: (QA follow-up) Remove hardcoded notice name from protected_letters 2022-07-05 11:37:39 -03:00
Patroncards.pm
Record.pm Bug 29697: Fix t/db_dependent/Exporter/Record.t 2022-07-25 09:30:35 -03:00
Reports.pm
Reserves.pm Bug 12630: Rebase tests and cover CheckReserves 2022-06-13 10:24:50 -03:00
Ris.pm
RotatingCollections.pm
Scheduler.pm
Scrubber.pm
Search.pm Bug 29697: Fix t/db_dependent/Search.t 2022-07-25 10:16:48 -03:00
Serials.pm Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
Service.pm
ShelfBrowser.pm Bug 29697: Replace GetMarcBiblio occurrences with $biblio->metadata->record 2022-07-22 15:24:11 -03:00
SMS.pm
SocialData.pm
Stats.pm
Suggestions.pm Bug 23991: (follow-up) Silence useless warnings 2022-06-27 13:23:06 -03:00
Tags.pm
Templates.pm
TmplToken.pm
TmplTokenType.pm
TTParser.pm
UsageStats.pm
XISBN.pm Bug 30813: (QA follow-up) Adjust three use statements 2022-06-08 11:40:32 -03:00
XSLT.pm Bug 30291: Changes to controller scripts 2022-05-05 11:17:36 -10:00