[Bug 1747] Renew from opac-user.pl causes crash
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=1747 joe.atzberger@liblime.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |critical ------- Comment #3 from joe.atzberger@liblime.com 2008-01-07 10:19 ------- Same error affects renewal from staff interface, with either "Renew checked" or "Renew All". http://staff-atz.dev.kohalibrary.com/cgi-bin/koha/reserve/renewscript.pl HDL: Clearly a patron could not renew unless logged in, but he must already be logged in to even see what he has checked out! On the OPAC side, opac/opac-renew.pl is tiny, just 22 lines. And it does not seem to require the user to log in, or have any Auth at all. Upgrading severity since this is a security flaw and not just a bug: any anonymous 3rd party could renew items, with just the borrowernumber and itemnumber! ------- You are receiving this mail because: ------- You are the QA contact for the bug, or are watching the QA contact.
participants (1)
-
bugzilla-daemon@pippin.metavore.com