[Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash
bugzilla-daemon at pippin.metavore.com
bugzilla-daemon at pippin.metavore.com
Mon Jan 7 19:19:10 CET 2008
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=1747
joe.atzberger at liblime.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|major |critical
------- Comment #3 from joe.atzberger at liblime.com 2008-01-07 10:19 -------
Same error affects renewal from staff interface, with either "Renew checked" or
"Renew All".
http://staff-atz.dev.kohalibrary.com/cgi-bin/koha/reserve/renewscript.pl
HDL: Clearly a patron could not renew unless logged in, but he must already be
logged in to even see what he has checked out!
On the OPAC side, opac/opac-renew.pl is tiny, just 22 lines. And it does not
seem to require the user to log in, or have any Auth at all.
Upgrading severity since this is a security flaw and not just a bug: any
anonymous 3rd party could renew items, with just the borrowernumber and
itemnumber!
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
More information about the Koha-bugs
mailing list