[Koha-bugs] [Bug 32369] New: Two Factor Authentication Can Be Bypassed If Catalog and Staff Client URL Aren't Properly Configured

Tue Nov 29 18:26:21 CET 2022

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32369

            Bug ID: 32369
           Summary: Two Factor Authentication Can Be Bypassed If Catalog
                    and Staff Client URL Aren't Properly Configured
 Change sponsored?: ---
           Product: Koha
           Version: 22.05
          Hardware: All
                OS: All
            Status: NEW
          Severity: minor
          Priority: P5 - low
         Component: Authentication
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: cslone at camdencountylibrary.org
        QA Contact: testopia at bugs.koha-community.org
                CC: dpavlin at rot13.org

Ideally, there aren't any publicly accessible, production sites set up in the
way described below, however there is a bypass of 2FA if there are (though this
would still require a compromised PIN).

I have a test environment of Koha on a local-network server. When I first set
it up, I made the staff client address the IP of the server, and the OPAC the
same IP at a specific port (xxx.xxx.xxx.xxx:8081). I've never gotten around to
correcting that, and consequently when I'm logged into the staff client it also
considers me to be logged in to the OPAC, and visa versa (at that point I can
go to either the IP or the IP+Port to go between them).

I set up two factor authentication on a staff account, which is working
correctly when I log into the staff client. As expected, when I log into the
OPAC there's no 2FA code requested, however I can then just go to the base IP
(the staff client) and I will be logged into the staff client without having to
deal with 2FA.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.