[Koha-bugs] [Bug 11341] XSS attack vendor in facets in OPAC - prog theme
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Dec 4 22:57:12 CET 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11341
Brendan Gallagher <brendan at bywatersolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #23312|0 |1
is obsolete| |
--- Comment #3 from Brendan Gallagher <brendan at bywatersolutions.com> ---
Created attachment 23313
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23313&action=edit
[PASSED-QA] Bug 11341 : XSS in opac-search.pl (facets)
prog theme, bootstrap theme is safe
To test
1/ Craft a url like
cgi-bin/koha/opac-search.pl?idx=kw&q=fish&offset=20"
onmouseover%3dprompt(994000) bad%3d"
(the search must return enough results to have a show more link in the facets)
2/ Check the source, or mouseover the Show more links in the facets
Notice the code is executable
3/ Apply patch - notice it is no longer executable
Signed-off-by: Tomas Cohen Arazi <tomascohen at gmail.com>
Signed-off-by: Brendan Gallagher <brendan at bywatersolutions.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list