Reflected XSS vulnerability OPAC org unit selector
Bug #2019157 reported by
Jane Sandberg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
3.10 |
Fix Released
|
High
|
Unassigned | ||
3.11 |
Fix Released
|
High
|
Unassigned | ||
3.12 |
Fix Released
|
High
|
Unassigned |
Bug Description
Expected behavior: the locg param is not used directly without sanitization.
Actual behavior: the locg param is embedded verbatim in several pages as part of the org unit dropdown
Steps to reproduce:
* Go to [your_domain]
* Note that the site executes javascript code that is passed in via the URL.
tags: | added: bitesize |
Changed in evergreen: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in evergreen: | |
assignee: | nobody → Jason Stephenson (jstephenson) |
tags: | added: signedoff |
Changed in evergreen: | |
assignee: | Jason Stephenson (jstephenson) → nobody |
Changed in evergreen: | |
milestone: | none → 3.13.2 |
no longer affects: | evergreen/3.13 |
Changed in evergreen: | |
milestone: | 3.13.2 → 3.13.1 |
Changed in evergreen: | |
status: | Confirmed → Fix Committed |
information type: | Private Security → Public Security |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Here is a branch in the security repo: user/sandbergja /lp2019157- reflected- xss-in- orgselect
Steps to test, from the commit message:
1. If you don't already have a library group, go to Admin > Server > Library Groups and make one that is Global. /eg/opac/ home?locg= '><script> alert(' bad bad bad')</script>
2. In your browser, go to [your_domain]
3. Note that the site executes javascript code that is passed in via the URL.
4. Apply this patch
5. Repeat step 2.
6. Note that the arbitrary js does not get run anymore.
7. Confirm that library group searching still works as expected.