[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #47 from Chris Cormack ch...@bigballofwax.co.nz --- No outstanding vulnerabilities at this time, a new bug can be opened if some are found -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Status|ASSIGNED|NEW -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Version|3.10|master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Attachment #12835|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Attachment #12836|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Attachment #12926|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Paul Poulain paul.poul...@biblibre.com changed: What|Removed |Added Status|Signed Off |ASSIGNED Version|master |rel_3_10 --- Comment #46 from Paul Poulain paul.poul...@biblibre.com --- The 3 patches Bug 3652: close XSS vulnerabilities on biblionumber and authid (3.40 KB, patch) Bug 3652: close XSS vulnerabilities in opac-export (2.62 KB, patch) bug 3652 fixing XSS vulnerabilities in opac-search (3.04 KB, patch) have been pushed QA comment for Bug 3652: close XSS vulnerabilities on biblionumber and authid (3.40 KB, patch) = I made a follow-up to remove the || $query-param('bib'); (see comment 38) I think opac-detail.pl could also be fixed, but in case there's an old reference to this, I won't do that without a specific patch. Comment for opac-search = the XSS did not work for me if I entered Search in the opac for ';/scriptscriptalert(10);/alert' If was exploitable only with /cgi-bin/koha/opac-search. pl?q=%3B%3C%2Fscript%3E%3Cscript%3Ealert%2810%29%3B%3C%2Fscript%3E but it's worth pushing it anyway status back to ASSIGNED if another XSS vulnerability is found fixed -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #45 from Chris Cormack ch...@bigballofwax.co.nz --- Pushed to 3.8.x will be in 3.8.6 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #40 from Mason James m...@kohaaloha.com --- passing QA on 2 patches... $ koha-qa.pl -c 2 testing 2 commit(s) (applied to commit d91a4f8) * 09305f2 bug 3652 fixing XSS vulnerabilities in opac-search koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt * 005a1ea Bug 3652: close XSS vulnerabilities in opac-export opac/opac-export.pl * opac/opac-export.pl OK * koha-tmpl/opac-tmpl/prog/en/modules/opac-detail.tt OK * koha-tmpl/opac-tmpl/prog/en/modules/opac-results-grouped.tt OK * koha-tmpl/opac-tmpl/prog/en/modules/opac-results.tt OK -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Mason James m...@kohaaloha.com changed: What|Removed |Added Attachment #12876|0 |1 is obsolete|| --- Comment #41 from Mason James m...@kohaaloha.com --- Created attachment 12926 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12926action=edit bug 3652 fixing XSS vulnerabilities in opac-search Signed-off-by: Mason James m...@kohaaloha.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Mason James m...@kohaaloha.com changed: What|Removed |Added Status|Needs Signoff |Signed Off --- Comment #42 from Mason James m...@kohaaloha.com --- (In reply to comment #41) Created attachment 12926 [details] bug 3652 fixing XSS vulnerabilities in opac-search Signed-off-by: Mason James m...@kohaaloha.com tested Chris' patch, works well -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #43 from Mason James m...@kohaaloha.com --- (In reply to comment #40) passing QA on 2 patches... oops, QA'ed the wrong patch $ koha-qa.pl -c 2 testing 2 commit(s) (applied to commit 32fab74) * 66a972f Bug 3652: close XSS vulnerabilities in opac-export opac/opac-export.pl * 2387688 Bug 3652: close XSS vulnerabilities on biblionumber and authid opac/opac-ISBDdetail.pl opac/opac-MARCdetail.pl opac/opac-authoritiesdetail.pl opac/opac-detail.pl opac/opac-showmarc.pl * opac/opac-export.pl OK * opac/opac-ISBDdetail.pl OK * opac/opac-MARCdetail.pl OK * opac/opac-authoritiesdetail.pl OK * opac/opac-detail.pl OK * opac/opac-showmarc.plOK -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Mason James m...@kohaaloha.com changed: What|Removed |Added Version|rel_3_8 |master --- Comment #44 from Mason James m...@kohaaloha.com --- i actually tested these against master, ill flick the version to reflect that (hope thats ok) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Paul Poulain paul.poul...@biblibre.com changed: What|Removed |Added Attachment #12809|0 |1 is obsolete|| --- Comment #37 from Paul Poulain paul.poul...@biblibre.com --- Comment on attachment 12809 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12809 Bug 3652: [SIGNED-OFF] XSS fixes - follow up QA comment, trivial patch, passes QA pushed -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #38 from Paul Poulain paul.poul...@biblibre.com --- Comment on attachment 12835 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12835 Bug 3652: close XSS vulnerabilities on biblionumber and authid About this patch, Jared, why do you add || $query-param('bib'); to opac-ISBD|MARCdetail.pl ? I see it's in opac-detail, but it's an oldies and not goodies (in early versions of Koha, biblionumber was sometimes written bib, bn, ... It has been fixed, and I favour removing || $query-param('bib'); from opac-detail.pl, because we must not have param('bib') -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #39 from Jared Camins-Esakov jcam...@cpbibliography.com --- (In reply to comment #38) Comment on attachment 12835 [details] Bug 3652: close XSS vulnerabilities on biblionumber and authid About this patch, Jared, why do you add || $query-param('bib'); to opac-ISBD|MARCdetail.pl ? I see it's in opac-detail, but it's an oldies and not goodies (in early versions of Koha, biblionumber was sometimes written bib, bn, ... It has been fixed, and I favour removing || $query-param('bib'); from opac-detail.pl, because we must not have param('bib') I wanted to make sure the behavior was identical, and I figured there must surely be a good reason for the $query-param('bib'). If you wanted to remove the || $query-param('bib') from all three files, I would not object at all. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added CC||neng...@gmail.com --- Comment #35 from Jared Camins-Esakov jcam...@cpbibliography.com --- *** Bug 8930 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #28 from Katrin Fischer katrin.fisc...@bsz-bw.de --- Created attachment 12807 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12807action=edit Bug 3652: XSS fixes - follow up Fixes a typo in the html filter that causes a problem when using the paging in the OPAC result lists. (forgot to commit my change when testing the original XSS patches) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Status|Pushed to Stable|ASSIGNED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Attachment #12730|0 |1 is obsolete|| Attachment #12740|0 |1 is obsolete|| Attachment #12741|0 |1 is obsolete|| Attachment #12807|0 |1 is obsolete|| --- Comment #29 from Katrin Fischer katrin.fisc...@bsz-bw.de --- Created attachment 12808 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12808action=edit Bug 3652: XSS fixes - follow up Fixes a typo in the html filter that causes a problem when using the paging in the OPAC result lists. (forgot to commit my change when testing the original XSS patches) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Magnus Enger mag...@enger.priv.no changed: What|Removed |Added Attachment #12808|0 |1 is obsolete|| --- Comment #30 from Magnus Enger mag...@enger.priv.no --- Created attachment 12809 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12809action=edit Bug 3652: [SIGNED-OFF] XSS fixes - follow up Fixes a typo in the html filter that causes a problem when using the paging in the OPAC result lists. (forgot to commit my change when testing the original XSS patches) Signed-off-by: Magnus Enger mag...@enger.priv.no I triggered the error with this query string: /cgi-bin/koha/opac-search.pl?idx=kwq=o'reillyoffset=40sort_by=author_az After applying the patch the error is gone. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Magnus Enger mag...@enger.priv.no changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Status|Signed Off |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #31 from Jared Camins-Esakov jcam...@cpbibliography.com --- Created attachment 12820 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12820action=edit Bug 3652: close XSS vulnerabilities on biblionumber and authid Previously we did not sanitize biblionumber and authids passed in by the user. To test: 1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a valid biblionumber for the 2). 2) Notice the presence of 2hi on this page, and also on the ISBD and MARC views. 3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye (substituting a valid authid for the 2). 4) Notice the presence of 2bye on this page. 3) Apply patch. 4) Notice that 2hi and 2bye strings are gone. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #32 from Jared Camins-Esakov jcam...@cpbibliography.com --- Created attachment 12823 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12823action=edit Bug 3652: close XSS vulnerabilities in opac-export The opac-export.pl script had a number of XSS vulnerabilities relating to its error handling. To test: 1) Go to /cgi-bin/koha/opac-export.pl?op=exportbib=2format=h2evil/h2 (substituting a valid biblionumber for the '2') 2) Notice that evil is rendered as an h2 heading. 3) Apply patch. 4) Notice that you now see the h2 tags, and they are not rendered by the browser. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Attachment #12820|0 |1 is obsolete|| --- Comment #33 from Chris Cormack ch...@bigballofwax.co.nz --- Created attachment 12835 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12835action=edit Bug 3652: close XSS vulnerabilities on biblionumber and authid Previously we did not sanitize biblionumber and authids passed in by the user. To test: 1) Go to /cgi-bin/koha/opac-detail.pl?biblionumber=2hi (substituting a valid biblionumber for the 2). 2) Notice the presence of 2hi on this page, and also on the ISBD and MARC views. 3) Go to /cgi-bin/koha/opac-authoritiesdetail.pl?authid=2bye (substituting a valid authid for the 2). 4) Notice the presence of 2bye on this page. 3) Apply patch. 4) Notice that 2hi and 2bye strings are gone. Signed-off-by: Chris Cormack chr...@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Paul Poulain paul.poul...@biblibre.com changed: What|Removed |Added Status|Passed QA |Pushed to Master Version|master |rel_3_8 --- Comment #26 from Paul Poulain paul.poul...@biblibre.com --- Patch pushed to master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|Pushed to Master|Pushed to Stable --- Comment #27 from Chris Cormack ch...@bigballofwax.co.nz --- Pushed to 3.8.x, will be in 3.8.6, probably needed for 3.6.x too -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Attachment #12737|0 |1 is obsolete|| Attachment #12738|0 |1 is obsolete|| --- Comment #23 from Katrin Fischer katrin.fisc...@bsz-bw.de --- Created attachment 12740 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12740action=edit [SIGNED-OFF] Bug 3652: XSS vulnerability in page numbering Signed-off-by: Katrin Fischer katrin.fischer...@web.de Confirmed the problem with test plan on the bug and checked that paging works correctly after the patch. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #24 from Katrin Fischer katrin.fisc...@bsz-bw.de --- Created attachment 12741 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12741action=edit [SIGNED-OFF] Bug 3652 XSS vulnerability in facets Signed-off-by: Katrin Fischer katrin.fischer...@web.de Confirmed bug with test plan on the bug and checked that problem is fixed after applying the patch and that facets still work. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|NEW |ASSIGNED --- Comment #15 from Chris Cormack ch...@bigballofwax.co.nz --- XSS vulnerability when viewing shelves. To test 1/ Visit /cgi-bin/koha/opac-shelves.pl?viewshelf=blinkfish/blinksortfield=1 After patch this should no longer be blinking -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #16 from Chris Cormack ch...@bigballofwax.co.nz --- Created attachment 12728 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12728action=edit Bug 3652 : [SECURITY] XSS vulnerability -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #17 from Chris Cormack ch...@bigballofwax.co.nz --- Sorry forgot to mention this only shows up when you dont have permission to view the list -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Magnus Enger mag...@enger.priv.no changed: What|Removed |Added Attachment #12728|0 |1 is obsolete|| --- Comment #18 from Magnus Enger mag...@enger.priv.no --- Created attachment 12729 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12729action=edit Bug 3652 : [SECURITY] XSS vulnerability Signed-off-by: Magnus Enger mag...@enger.priv.no Works as advertised. After applying the patch, blinkfish/blink is displayed on the page, but no blinking occurs. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Magnus Enger mag...@enger.priv.no changed: What|Removed |Added Attachment #12729|0 |1 is obsolete|| --- Comment #19 from Magnus Enger mag...@enger.priv.no --- Created attachment 12730 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12730action=edit Bug 3652 : [SIGNED-OFF] [SECURITY] XSS vulnerability Signed-off-by: Magnus Enger mag...@enger.priv.no Works as advertised. After applying the patch, blinkfish/blink is displayed on the page, but no blinking occurs. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Magnus Enger mag...@enger.priv.no changed: What|Removed |Added Status|Needs Signoff |Signed Off CC||mag...@enger.priv.no -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|Signed Off |Needs Signoff --- Comment #20 from Chris Cormack ch...@bigballofwax.co.nz --- If you have a search that returns more than one page of results it is possible to craft an xss exploit. With page numbers turned on try /cgi-bin/koha/opac-search.pl?q=1do=Searchlimit-yr=1limit=1idx=kwsort_by=relevance/abThis%20shouldn't%20happen/b Then try it again with the patch applied. Another patch to follow to fix facets -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #21 from Chris Cormack ch...@bigballofwax.co.nz --- Created attachment 12737 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12737action=edit Bug 3652: XSS vulnerability in page numbering -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 --- Comment #22 from Chris Cormack ch...@bigballofwax.co.nz --- Created attachment 12738 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=12738action=edit Bug 3652 XSS vulnerability in facets -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Katrin Fischer katrin.fisc...@bsz-bw.de changed: What|Removed |Added Blocks||2690 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Status|ASSIGNED|Needs Signoff CC||jcam...@cpbibliography.com -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Status|Needs Signoff |Patch doesn't apply -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Owen Leonard oleon...@myacpl.org changed: What|Removed |Added Attachment #1482|0 |1 is obsolete|| -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Owen Leonard oleon...@myacpl.org changed: What|Removed |Added Attachment #2838|0 |1 is obsolete|| -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 3652] XSS vulnerabilities
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3652 Owen Leonard oleon...@myacpl.org changed: What|Removed |Added Attachment #2784|0 |1 is obsolete|| -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/