git.koha-community.org Git - koha.git/commit

author	Liz <wizzyrea@gmail.com>
	Mon, 5 Jan 2015 02:32:32 +0000 (02:32 +0000)
committer	Chris Cormack <chrisc@catalyst.net.nz>
	Thu, 22 Jan 2015 07:01:55 +0000 (20:01 +1300)
commit	27d410eb142a868aa25c6845272a7e8b51276f3b
tree	7e7b4269ee5e52c9897c091840628dd30077a6e9	tree \| snapshot
parent	1cf3dc6e8e296ad9d5af5f270c1afed74b68a02c	commit \| diff

Bug 13510 - Cross site scripting bug in opac-downloadshelf and opac-shelves

A specially crafted url causes XSS in Koha

To test:

cgi-bin/koha/opac-shelves.pl?viewshelf=2%22%3E%3Cscript%3Eprompt(987898)%3C/script%3E

cgi-bin/koha/opac-downloadshelf.pl?shelfid=2%22%3Cscript%3Eprompt(1)%3C/script%3E&showprivateshelves

These should cause a popup without the patch. With the patch, no popup.

You may need to create these lists, the xss will not be triggered if the list doesn't exist or you don't
have permission to view them.

Signed-off-by: Chris <chris@bigballofwax.co.nz>
Fixes the two listed problems

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Confirmed patch fixes the problem.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-downloadshelf.tt		diff \| blob \| history
koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-shelves.tt		diff \| blob \| history