[Koha-bugs] [Bug 29914] New: check_cookie_auth not strict enough
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jan 20 10:09:24 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29914
Bug ID: 29914
Summary: check_cookie_auth not strict enough
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: ASSIGNED
Severity: critical
Priority: P5 - low
Component: Authentication
Assignee: jonathan.druart+koha at gmail.com
Reporter: jonathan.druart+koha at gmail.com
QA Contact: testopia at bugs.koha-community.org
CC: dpavlin at rot13.org
This has been found on bug 28786 comment 91.
check_cookie_auth is assuming that the user is authenticated if a cookie exists
and that the login/username exists in the DB.
This is very bad! I have no idea what are the possible breaches it opens, but
there are certainly some.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list