[Koha-bugs] [Bug 11341] XSS attack vendor in facets in OPAC - prog theme

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Dec 4 22:30:33 CET 2013


http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11341

Tomás Cohen Arazi <tomascohen at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #23311|0                           |1
        is obsolete|                            |

--- Comment #2 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
Created attachment 23312
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23312&action=edit
Bug 11341 : XSS in opac-search.pl (facets)

prog theme, bootstrap theme is safe

To test
1/ Craft a url like
 cgi-bin/koha/opac-search.pl?idx=kw&q=fish&offset=20"
onmouseover%3dprompt(994000) bad%3d"
 (the search must return enough results to have a show more link in the facets)

2/ Check the source, or mouseover the Show more links in the facets
   Notice the code is executable

3/ Apply patch - notice it is no longer executable

Signed-off-by: Tomas Cohen Arazi <tomascohen at gmail.com>

-- 
You are receiving this mail because:
You are watching all bug changes.


More information about the Koha-bugs mailing list