[Koha-bugs] [Bug 3652] New: XSS vulnerabilities
bugzilla-daemon at kohaorg.ec2.liblime.com
bugzilla-daemon at kohaorg.ec2.liblime.com
Mon Sep 21 15:11:36 CEST 2009
http://bugs.koha.org/cgi-bin/bugzilla3/show_bug.cgi?id=3652
Summary: XSS vulnerabilities
Product: Koha
Version: rel_3_2
Platform: All
OS/Version: All
Status: NEW
Severity: critical
Priority: P5
Component: Templates
AssignedTo: mjr at ttllp.co.uk
ReportedBy: mjr at ttllp.co.uk
Estimated Hours: 0.0
Change sponsored?: ---
Koha has several XSS attack opportunities. There are two approaches to fixing
this:
1. identify and ESCAPE="HTML" (or URL or JS) all places in the templates which
are vulnerable;
2. set default_escape => "HTML" in C4::Output and identify the places in the
templates which require ESCAPE="0" (unescaped) output.
1 (default permit) seems less secure than 2. 2 will break some things in the
short term.
This seems like a generalisation of bug #2690.
--
Configure bugmail: http://bugs.koha.org/cgi-bin/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
More information about the Koha-bugs
mailing list