git.koha-community.org Git - koha.git/commit

]> git.koha-community.org Git - koha.git/commit

projects / koha.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: 505211d) | patch

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)
committer	Mason James <mtj@kohaaloha.com>
	Thu, 24 Aug 2017 06:04:56 +0000 (18:04 +1200)
commit	ec036698f58c8331d30f279164d55232f7fcbf97
tree	d0aba88b5186342d79312f2a75814131ca1980dd	tree \| snapshot
parent	505211d6ed08c59bfb3a5e0cd25a756ebb4bf0ca	commit \| diff

Bug 19100 - XSS Flaws in memberentry.pl

1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid.
5. Notice it is no longer executed.

NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>

koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt

diff | blob | history

Main Koha release repository