http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12126 Bug ID: 12126 Summary: SIP authentication bypassed Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: SIP2 Assignee: koha-bugs@lists.koha-community.org Reporter: cbrannon@cdalibrary.org QA Contact: testopia@bugs.koha-community.org CC: colin.campbell@ptfs-europe.com SIP Authentication will allow transactions even if credentials are incorrect, as long as someone has authenticated correctly on the server, even if it is from another machine! Steps to reproduce: 1 - Authenticate from machine A with good credentials. Make a transaction. 2 - Use bad credentials on machine B. Make a transaction. For example, check something out. The transaction will appear in Koha as though it were checked out from the library credentials machine A was using. 3 - Change the credentials on machine A to a sip user for another library. Make a transaction. 4 - Using the same or other bad credentials on machine B, check something out. Koha will show item checked out from the library credentials machine A used last. When good credentials are used, SIP transactions work as expected. However, when bad credentials are used, whether it is username, password, or even port, Koha fails over to the last good credentials used. As long as you are pointing to the server, you can complete a transaction. Christopher -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.