Please open a bug report in the "Koha security" project https://bugs.koha-community.org/bugzilla3/enter_bug.cgi That way we can keep the vulnerability hidden until a fix is published
On Wed, 13 Sep 2017 at 15:35 Tom Hanstra <[email protected]> wrote: > We received email from our campus InfoSec group that a portion of our Koha > site was vulnerable to cross-site scripting attacks. Below is the gist of > the email we received: > > GET: https://[our server]cgi-bin/koha/opac-shelve > s.pl?op=list&category=%22/%3E%3Cimg%20src=x%20onerror=% > 22alert(%27Doh!%20Insert%20Hax%20Here.%27)%22%20/%3E%3C!%E2%80%94 > > ATTACK DETAILS: > This page is vulnerable to Cross-site scripting attacks. > > Cross-site scripting attacks, in general, are an issue because > they are enabling attacks. Specially-crafted malicious URLs can > steal authentication tokens/cookies when a logged-in user visits them, > giving the attacker full access to that user's account in the application. > Reflected XSS attacks, in particular, are a concern as they can be used to > socially engineer a user into clicking on what appears to be a legitimate > URL. > > Please also consider the following: > > - Web application security testing should be performed regularly, > especially for any public web applications. This includes > tracking application inventory, general code review and vulnerability > assessments using web application security testing tools. > > - All input received by the web server should be checked before > it is processed. The best method is to remove all unwanted input and > accept only expected input. For example, ensure angle brackets are > not allowed in any input to any Web page fields. Additionally, no > syntactic input should be allowed. Syntactic input can come from > databases, other servers, etc. All input into a Web application must > be filtered to ensure the delivery of clean content to individuals using > your service. > > - Other References: > > OWASP Guide to Building Secure Web Applications and Web Services > https://www.owasp.org/index.php/Category:OWASP_Guide_Project > -------------- > > Does anyone know if there is a newer version of Koha which addresses these > issues? > > Thanks, > Tom > > -- > *Tom Hanstra* > *Sr. Systems Administrator* > [email protected] > > <http://library.nd.edu/> > _______________________________________________ > Koha mailing list http://koha-community.org > [email protected] > https://lists.katipo.co.nz/mailman/listinfo/koha > _______________________________________________ Koha mailing list http://koha-community.org [email protected] https://lists.katipo.co.nz/mailman/listinfo/koha

