[Koha-bugs] [Bug 32369] New: Two Factor Authentication Can Be Bypassed If Catalog and Staff Client URL Aren't Properly Configured
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Nov 29 18:26:21 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32369
Bug ID: 32369
Summary: Two Factor Authentication Can Be Bypassed If Catalog
and Staff Client URL Aren't Properly Configured
Change sponsored?: ---
Product: Koha
Version: 22.05
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5 - low
Component: Authentication
Assignee: koha-bugs at lists.koha-community.org
Reporter: cslone at camdencountylibrary.org
QA Contact: testopia at bugs.koha-community.org
CC: dpavlin at rot13.org
Ideally, there aren't any publicly accessible, production sites set up in the
way described below, however there is a bypass of 2FA if there are (though this
would still require a compromised PIN).
I have a test environment of Koha on a local-network server. When I first set
it up, I made the staff client address the IP of the server, and the OPAC the
same IP at a specific port (xxx.xxx.xxx.xxx:8081). I've never gotten around to
correcting that, and consequently when I'm logged into the staff client it also
considers me to be logged in to the OPAC, and visa versa (at that point I can
go to either the IP or the IP+Port to go between them).
I set up two factor authentication on a staff account, which is working
correctly when I log into the staff client. As expected, when I log into the
OPAC there's no 2FA code requested, however I can then just go to the base IP
(the staff client) and I will be logged into the staff client without having to
deal with 2FA.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list