[Koha-bugs] [Bug 6641] New: Specially crafted URL can allow unauthorized download of MARC files from staff client
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 28 17:51:11 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6641
Bug #: 6641
Summary: Specially crafted URL can allow unauthorized download
of MARC files from staff client
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: rel_3_6
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P5
Component: Staff Client
AssignedTo: paul.poulain at biblibre.com
ReportedBy: wizzyrea at gmail.com
QAContact: koha-bugs at lists.koha-community.org
CC: gmcharlt at gmail.com
http://staff.client.url/cgi-bin/koha/catalogue/export.pl?format=utf8&op=export&bib=4224
(as an example) would allow unauthorized users to download MARC files from the
staff side of the ILS. It might be possible to DOS the staff client using this.
The same functionality is available from the OPAC, the download functionality
should only be available from the staff client when a user is logged in.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list