[Bug 3652] New: XSS vulnerabilities
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3652 Summary: XSS vulnerabilities Product: Koha Version: rel_3_2 Platform: All OS/Version: All Status: NEW Severity: critical Priority: P5 Component: Templates AssignedTo: mjr@ttllp.co.uk ReportedBy: mjr@ttllp.co.uk Estimated Hours: 0.0 Change sponsored?: --- Koha has several XSS attack opportunities. There are two approaches to fixing this: 1. identify and ESCAPE="HTML" (or URL or JS) all places in the templates which are vulnerable; 2. set default_escape => "HTML" in C4::Output and identify the places in the templates which require ESCAPE="0" (unescaped) output. 1 (default permit) seems less secure than 2. 2 will break some things in the short term. This seems like a generalisation of bug #2690. -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3652 MJR <mjr@ttllp.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sirusdv@pwnzord.com --- Comment #1 from MJR <mjr@ttllp.co.uk> 2009-11-04 22:53:28 --- *** Bug 3759 has been marked as a duplicate of this bug. *** -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3652 --- Comment #2 from Garry Collum <gcollum@gmail.com> 2010-02-16 00:08:34 --- Created an attachment (id=1629) --> (http://bugs.koha.org/cgi-bin/bugzilla3/attachment.cgi?id=1629) Patch for opac-search-history.tmpl -- Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
participants (1)
-
bugzilla-daemon@kohaorg.ec2.liblime.com