]> git.koha-community.org Git - koha.git/commit
Bug 19100 - XSS Flaws in memberentry.pl
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)
committerFridolin Somers <fridolin.somers@biblibre.com>
Wed, 23 Aug 2017 15:00:12 +0000 (17:00 +0200)
commitbe1bd8b56140b1ac45259c1ac3c6de25a45687b8
treeb12f3f993fbcd92cbd9ba3bd47ccde2e6613f3f8
parent84c5bebcd3a93d21bd7b800b63ba3506adcaf0bf
Bug 19100 - XSS Flaws in memberentry.pl

1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
   xx - is a guarantorid.
5. Notice it is no longer executed.

NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit d42639166c9de0e83b16b04cd8c05146648b03fd)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt