[koha-commits] main Koha release repository branch master updated. v16.11.00-339-g0c3c162
Git repo owner
gitmaster at git.koha-community.org
Mon Jan 30 15:28:31 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "main Koha release repository".
The branch, master has been updated
via 0c3c162f767f5587f5fad7375151f8efca3689b3 (commit)
from b0bb1b0aa60071950a39b1c1b9e9ec145b304086 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0c3c162f767f5587f5fad7375151f8efca3689b3
Author: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
Date: Fri Jan 13 16:19:45 2017 +0100
Bug 17905: FIX CSRF in member-flags
If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible
The exploit can be simulated triggering
/cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian
Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko at abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy at rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle at bywatersolutions.com>
-----------------------------------------------------------------------
Summary of changes:
.../prog/en/modules/members/member-flags.tt | 1 +
members/member-flags.pl | 17 +++++++++++++++++
2 files changed, 18 insertions(+)
hooks/post-receive
--
main Koha release repository
More information about the koha-commits
mailing list