]> git.koha-community.org Git - koha.git/commit
Bug 19100 - XSS Flaws in memberentry.pl
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)
committerKatrin Fischer <katrin.fischer.83@web.de>
Sun, 20 Aug 2017 13:37:44 +0000 (15:37 +0200)
commitcc0033d9b6e932f3e52075776503e4956406188c
treee8378a3c07d46d1e40dec843221471454b297048
parentefc22a085b683455e1291aa9e49fa4f4b637d36f
Bug 19100 - XSS Flaws in memberentry.pl

1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid.
5. Notice it is no longer executed.

NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt