https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29914 Bug ID: 29914 Summary: check_cookie_auth not strict enough Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: ASSIGNED Severity: critical Priority: P5 - low Component: Authentication Assignee: jonathan.druart+koha@gmail.com Reporter: jonathan.druart+koha@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org This has been found on bug 28786 comment 91. check_cookie_auth is assuming that the user is authenticated if a cookie exists and that the login/username exists in the DB. This is very bad! I have no idea what are the possible breaches it opens, but there are certainly some. -- You are receiving this mail because: You are watching all bug changes.