]> git.koha-community.org Git - koha.git/commit
Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorit... v21.11.10
authorKyle Hall <kyle@bywatersolutions.com>
Wed, 15 Jun 2022 16:06:55 +0000 (12:06 -0400)
committerArthur Suzuki <arthur.suzuki@biblibre.com>
Mon, 25 Jul 2022 08:27:24 +0000 (10:27 +0200)
commitb466dab6e2d01c0dd1be23c61754fb7f9f597d34
treeaac4e6464ba03a8edde7bea720c5cd1266228e03
parentfdfbdf232be224e4ad16dfcfe33b0a9893b2ccdf
Bug 30969: Cross site scripting (XSS) attack in OPAC authority search ( opac-authorities-home.pl )

There appears to be a cross site scripting attack vulnerability in opac-authorities-home.pl, but may be accessible from any page using C4::Output::pagination_bar.

https://MYKOHA.LOCAL/cgi-bin/koha/opac-authorities-home.pl?and_or=and%27%22()%26%25%3Csad%3E%3CScRiPt%20%3Ealert(document.domain)%3C/ScRiPt%3E&authtypecode=CORPO_NAME&excluding=1&marclist=all&op=do_search&operator=contains&orderby=HeadingAsc&type=opac&value=1

Test Plan:
1) Use the URL above to show the XSS vulnerability exists
2) Apply this patch
3) Restart all the things!
4) Reload the page, no XSS vulnerability!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Arthur Suzuki <arthur.suzuki@biblibre.com>
C4/Output.pm