Dear community, In our Koha version 3.12.01 which has worked on Ubuntu 12.04 we have some problems. Recently our Web provider checked Koha security through "Acunetix" Web application security programm and founded some high-severity type vulnerabilities. First threat : ********************************** Cross site scripting (verified) Affects Variation /cgi-bin/koha/opac-search.pl URL encoded GET input count was set to 50'"()&%<ScRiPt >prompt(901653)</ScRiPt> GET /cgi-bin/koha/opac-search.pl?......... **************************************** Second : *************************************** Application error message Affects Variation /cgi-bin/koha/opac-search.pl /cgi-bin/koha/opac-search.pl URL encoded GET input count was set to '"() Error message found: Internal Server Error GET /cgi-bin/koha/opac-search.pl?count=%27%22%28%29&format=rss2&idx=ti&q=1&sort_by=acqdate_dsc HTTP/1.1 (line truncated)........
**************************** Security programme results see an attached. How to prevent xss attacs and protect opac-search.pl ? Best regards, Araik _______________________________________________ Koha mailing list http://koha-community.org [email protected] http://lists.katipo.co.nz/mailman/listinfo/koha
