git.koha-community.org Git - koha.git/commit

author	Amit Gupta <amit.gupta@informaticsglobal.com>
	Tue, 15 Aug 2017 17:52:32 +0000 (23:22 +0530)
committer	Katrin Fischer <katrin.fischer.83@web.de>
	Sun, 20 Aug 2017 13:37:44 +0000 (15:37 +0200)
commit	cc0033d9b6e932f3e52075776503e4956406188c
tree	e8378a3c07d46d1e40dec843221471454b297048	tree \| snapshot
parent	efc22a085b683455e1291aa9e49fa4f4b637d36f	commit \| diff

Bug 19100 - XSS Flaws in memberentry.pl

1. Hit /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid
2. Notice the java script is executed.
3. Apply patch.
4. Reload page, and hit the page again /cgi-bin/koha/members/memberentry.pl?op=add&guarantorid=xx<script>alert('amit')</script>
xx - is a guarantorid.
5. Notice it is no longer executed.

NOTE: I had to test in Microsoft Edge, because Chrome was blocking XSS for me.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>