projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8c3da35)
Bug 19079 - XSS Flaws in Membership page
authorAmit Gupta <amit.gupta@informaticsglobal.com>
Fri, 11 Aug 2017 15:38:14 +0000 (21:08 +0530)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 29 Aug 2017 15:00:37 +0000 (12:00 -0300)
1. Hit /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
   xx - is a borrowernumber
2. Notice the java script is executed.
4. Apply patch.
5. Reload page, and hit the page again /cgi-bin/koha/members/moremember.pl?borrowernumber=xx<script>alert('amit')</script>.
   xx - is a borrowernumber.
6. Notice it is no longer executed.

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
members/moremember.pl patch | blob | history

diff --git a/members/moremember.pl b/members/moremember.pl
index b70a068..5b61df3 100755 (executable)
--- a/members/moremember.pl
+++ b/members/moremember.pl
@@ -36,6 +36,7 @@
 use strict;
 #use warnings; FIXME - Bug 2505
 use CGI qw ( -utf8 );
+use HTML::Entities;
 use C4::Context;
 use C4::Auth;
 use C4::Output;
@@ -116,6 +117,7 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     }
 );
 my $borrowernumber = $input->param('borrowernumber');
+$borrowernumber = HTML::Entities::encode($borrowernumber);
 my $error = $input->param('error');
 $template->param( error => $error ) if ( $error );
 
Koha ILS @ FFZG - based on git://git.koha.org/pub/scm/koha.git