[Koha-bugs] [Bug 6676] New: Acquisition basket access control trivially by-passable
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Sun Aug 7 13:05:54 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6676
Bug #: 6676
Summary: Acquisition basket access control trivially
by-passable
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: rel_3_4
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Acquisitions
AssignedTo: henridamien at koha-fr.org
ReportedBy: ef at math.uni-bonn.de
QAContact: koha-bugs at lists.koha-community.org
Currently, while booksellers.pl tries to restrict a user's ability to view
baskets, that's trivially circumvented by simply altering the basketno CGI
parameter to, e.g. baket.pl.
I can think of three ways to close this security hole:
1. Check permissions in every script that deals with baskets. This would
probably require an extension to C4::Auth.
2. Randomise basket numbers.
3. Add a random key to each basket that must be given as a CGI parameter (in
addition to basketno) in order for a script to allow access to that basket.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list