Researchers of SBA Research found several critical security vulnerabilities in the Koha Library software via Combinatorial Testing

Raschin Tavakoli, Bernhard Garn, Peter Aufner and Dimitris Simos of the Combinatorial Security Testing Team of SBA Research found several critical security vulnerabilities in the Koha Library Software. The vulnerabilities involve a variety of serious issues like unauthenticated SQL Injection, Local File Inclusions, XSS and XRFS which allow remote attackers to completely compromise the web application and web server. After a full disclosure to the community the development team of Koha fixed all issues and published a security release. SBA Research would like to thank Chris Cormack and his team.

Koha is a leading open source Integrated Libray Systen (ILS), used world-wide by thousands of public, school and special libraries. It has an active community and several commercial supporters like LibLime, ByWaterSolutionsand and BibLibre. Famous Koha users include the Museum of Natural History in Vienna, the UNIDO library and the Spanish Ministry of Culture.

More details can be found at:

http://koha-community.org/security-release-koha-3-20-1/
http://koha-community.org/security-release-koha-3-18-8/
http://koha-community.org/security-release-koha-3-16-12/

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423