Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity
Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members
History
Amit Gupta 73a66ccaf4 Bug 19100 - XSS Flaws in memberentry.pl 
1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid.
5. Notice it is no longer executed.

NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-08-29 12:00:37 -03:00
..
tables Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
boraccount.tt Bug 18263: Make use of syspref 'CurrencyFormat' for Account and Pay fines tables 2017-03-31 13:47:41 +00:00
deletemem.tt
discharge.tt
discharges.tt
files.tt Bug 18656 - Require confirmation of deletion of files from patron record 2017-06-12 11:11:13 -03:00
housebound.tt Bug 17847: Replace C4::Koha::GetAuthvalueDropbox with Koha::AuthorisedValues 2017-03-31 10:12:37 +00:00
mancredit.tt
maninvoice.tt Bug 17014: Simplify some code 2017-03-31 14:33:52 +00:00
member-flags.tt Bug 17905: FIX CSRF in member-flags 2017-01-30 11:24:12 +00:00
member-password.tt
member.tt Bug 18551: followup - hide advanced filters in header, move hidding to css file 2017-05-19 10:49:53 -04:00
memberentrygen.tt Bug 19100 - XSS Flaws in memberentry.pl 2017-08-29 12:00:37 -03:00
members-update.tt Bug 18703 - Translatability: Resolve some remaining %%] problems for staff client in 6 Files 2017-06-16 17:04:08 -03:00
moremember-brief.tt
moremember-print.tt Bug 17014 - Remove more event attributes from patron templates 2017-03-31 14:33:51 +00:00
moremember-receipt.tt Bug 17014 - Remove more event attributes from patron templates 2017-03-31 14:33:51 +00:00
moremember.tt Bug 18469: QA Follow-up 2017-08-15 12:17:43 -03:00
nl-search.tt
notices.tt Bug 18439 - Resend button for notices being hidden by CSS and never unhidden 2017-04-21 07:32:23 -04:00
pay.tt Bug 18263: Make use of syspref 'CurrencyFormat' for Account and Pay fines tables 2017-03-31 13:47:41 +00:00
paycollect.tt Bug 17014 - Remove more event attributes from patron templates 2017-03-31 14:33:51 +00:00
printfeercpt.tt Bug 17014 - Remove more event attributes from patron templates 2017-03-31 14:33:51 +00:00
printinvoice.tt Bug 17014 - Remove more event attributes from patron templates 2017-03-31 14:33:51 +00:00
purchase-suggestions.tt Bug 16239: Update templates 2017-01-13 14:41:22 +00:00
readingrec.tt
routing-lists.tt
statistics.tt Bug 19080: Handle non-existing patrons gratefully 2017-08-25 11:03:37 -03:00
update-child.tt