[Koha-bugs] [Bug 7551] New: Any logged-in OPAC user can renew items for others using a properly constructed URL

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Feb 16 21:19:22 CET 2012


http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7551

             Bug #: 7551
           Summary: Any logged-in OPAC user can renew items for others
                    using a properly constructed URL
    Classification: Unclassified
 Change sponsored?: ---
           Product: Koha
           Version: master
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: blocker
          Priority: P1 - high
         Component: OPAC
        AssignedTo: oleonard at myacpl.org
        ReportedBy: oleonard at myacpl.org
         QAContact: koha.sekjal at gmail.com


opac-renew.pl takes whatever borrowernumber you give it, so if you know the
borrowernumber and itemnumber of the patron and item you can renew items for
anyone from the OPAC. In my test all that was required was a valid OPAC login.

To reproduce:

1. Log in to the OPAC as any valid user.
2. Point the browser to the URL of opac-renew.pl:

http://koha.example.com/cgi-bin/koha/opac-renew.pl?borrowernumber=X&item=Y

Where X is a Koha patron and Y is the itemnumber of something checked out to X.

-- 
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.


More information about the Koha-bugs mailing list