<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi,</p>
<p>In that case we can reach the user detailed information without
giving a password by curl.</p>
<p>If you want we can share the code how to get this information
without authentication, from this list.<br>
</p>
<br>
<div class="moz-cite-prefix">On 15-03-2017 18:50, Jonathan Druart
wrote:<br>
</div>
<blockquote
cite="mid:CAJzKNY4b5eQbScx+ZKZgJzJQog1F+2J-VgAsTsFOeTm9zG=5SQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Hi,<br>
</div>
<br>
authnotrequired is set to 1 because <a
moz-do-not-send="true"
href="http://opac-memberentry.pl">opac-memberentry.pl</a>
is also used by the self registration feature.<br>
</div>
The patron information displayed is based on the logged in
user, not a parameter passed to the script.<br>
<br>
</div>
Everything looks ok to me.<br>
<br>
</div>
Regards,<br>
</div>
Jonathan<br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, 15 Mar 2017 at 12:18 Devinim Koha
Development Team <<a moz-do-not-send="true"
href="mailto:kohadevinim@devinim.com.tr">kohadevinim@devinim.com.tr</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
<p class="gmail_msg">Hi all,</p>
<p class="gmail_msg">In the <a moz-do-not-send="true"
href="http://opac-memberentry.pl" class="gmail_msg"
target="_blank">opac-memberentry.pl</a>
authnotrequired area is 1 by default, in that case, user
information can be reached without given a user
authentication <br class="gmail_msg">
</p>
<p class="gmail_msg">and this can lead some
vulnerabilites, do we miss something? We were not able
to understand why it is 1 by default?</p>
<p class="gmail_msg">Thanks.<br class="gmail_msg">
</p>
</div>
<div bgcolor="#FFFFFF" text="#000000" class="gmail_msg">
<div class="m_1657876652455208796moz-cite-prefix
gmail_msg">On 14-03-2017 11:33, Chris Cormack wrote:<br
class="gmail_msg">
</div>
<blockquote type="cite" class="gmail_msg">Hi, <br
class="gmail_msg">
<br class="gmail_msg">
Normally once they are released the release maintainer
shifts them out of security. That one got missed,
shifted now <br class="gmail_msg">
<br class="gmail_msg">
Chris <br class="gmail_msg">
<br class="gmail_msg">
<div class="gmail_quote gmail_msg">On 14 March 2017
9:13:51 PM NZDT, Devinim Koha Development Team <a
moz-do-not-send="true"
class="m_1657876652455208796moz-txt-link-rfc2396E
gmail_msg" href="mailto:kohadevinim@devinim.com.tr"
target="_blank"><kohadevinim@devinim.com.tr></a>
wrote:
<blockquote class="gmail_quote gmail_msg"
style="margin:0pt 0pt 0pt 0.8ex;border-left:1px
solid rgb(204,204,204);padding-left:1ex">
<pre class="m_1657876652455208796k9mail gmail_msg">Hi all,
How can we see the fixes of security bugs?
We've faced with a vulnerability with Bug# 16969 in a new version, but
it's said that it was fixed in 3.22.10.
Thanks.
Devinim Koha Dev. Team
<hr class="gmail_msg">
Koha-devel mailing list
<a moz-do-not-send="true" class="m_1657876652455208796moz-txt-link-abbreviated gmail_msg" href="mailto:Koha-devel@lists.koha-community.org" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org" class="gmail_msg" target="_blank">http://www.koha-community.org</a>/
git : <a moz-do-not-send="true" href="http://git.koha-community.org" class="gmail_msg" target="_blank">http://git.koha-community.org</a>/
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org" class="gmail_msg" target="_blank">http://bugs.koha-community.org</a>/
</pre></blockquote></div>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
</blockquote>
</div>_______________________________________________
Koha-devel mailing list
<a moz-do-not-send="true" href="mailto:Koha-devel@lists.koha-community.org" class="gmail_msg" target="_blank">Koha-devel@lists.koha-community.org</a>
<a moz-do-not-send="true" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel" rel="noreferrer" class="gmail_msg" target="_blank">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a moz-do-not-send="true" href="http://www.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://www.koha-community.org/</a>
git : <a moz-do-not-send="true" href="http://git.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://git.koha-community.org/</a>
bugs : <a moz-do-not-send="true" href="http://bugs.koha-community.org/" rel="noreferrer" class="gmail_msg" target="_blank">http://bugs.koha-community.org/</a></blockquote></div></div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
Koha-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Koha-devel@lists.koha-community.org">Koha-devel@lists.koha-community.org</a>
<a class="moz-txt-link-freetext" href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel">http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel</a>
website : <a class="moz-txt-link-freetext" href="http://www.koha-community.org/">http://www.koha-community.org/</a>
git : <a class="moz-txt-link-freetext" href="http://git.koha-community.org/">http://git.koha-community.org/</a>
bugs : <a class="moz-txt-link-freetext" href="http://bugs.koha-community.org/">http://bugs.koha-community.org/</a></pre>
</blockquote>
</body></html>