Positive Technologies Research Team detects XSS in Koha Library Software

liblime / LibLime-Koha

LibLime Koha is the most mature of the open source ILS applications. Based on the ground-breaking 3.0 platform (derived from the original Koha offering of 1999), LibLime Koha is a completely web-based open source ILS, with library staff, systems librarians, and library users all accessing LibLime Koha through a web browser. Relying on the MySQL relational database, all LibLime Koha data is readily accessible.

http://koha.org/

GNU General Public License v2.0

133 stars 54 forks source link

Positive Technologies Research Team detects XSS in Koha Library Software #3

Closed ranginui closed 13 years ago

ranginui commented 13 years ago

The vulnerability was detected by Yuri Goltsev, Positive Technologies Research Lab

ctfliblime commented 13 years ago

Thank you for the heads-up regarding these XSS vectors and for the patch which indicates the specific entry points. However, the commit has several typos (e.g. missing spaces between tag elements) and the approach doesn't nip the problem in the bud, allowing users to potentially go on manipulating bogus data with who can say what results. Better to fail quickly. See commit e22b18f for a different approach.