[Koha-bugs] [Bug 5131] XSS vulnerability in the OPAC search results interface
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Jul 26 11:06:35 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5131
Frère Sébastien Marie <semarie-koha at latrappe.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |semarie-koha at latrappe.fr
--- Comment #2 from Frère Sébastien Marie <semarie-koha at latrappe.fr> 2011-07-26 09:06:35 UTC ---
As this kind of code permit user to control some System Preferences setted
normally by admin, it should be corrected.
One example: activation of Amazon images (on 3.4.2, using
"sort_by=OPACAmazonEnabled&sort_by=OPACAmazonCoverImages")
If it don't permit injection of code (it only add a template parameter of the
chosen name and with value = "1"), it could permit to control of workflow for
inclusion of unwanted part of code. So it is a possible vector for potentials
issues.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list