[Koha-bugs] [Bug 12126] New: SIP authentication bypassed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Apr 23 00:22:22 CEST 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12126
Bug ID: 12126
Summary: SIP authentication bypassed
Change sponsored?: ---
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5 - low
Component: SIP2
Assignee: koha-bugs at lists.koha-community.org
Reporter: cbrannon at cdalibrary.org
QA Contact: testopia at bugs.koha-community.org
CC: colin.campbell at ptfs-europe.com
SIP Authentication will allow transactions even if credentials are incorrect,
as long as someone has authenticated correctly on the server, even if it is
from another machine!
Steps to reproduce:
1 - Authenticate from machine A with good credentials. Make a transaction.
2 - Use bad credentials on machine B. Make a transaction. For example, check
something out. The transaction will appear in Koha as though it were checked
out from the library credentials machine A was using.
3 - Change the credentials on machine A to a sip user for another library.
Make a transaction.
4 - Using the same or other bad credentials on machine B, check something out.
Koha will show item checked out from the library credentials machine A used
last.
When good credentials are used, SIP transactions work as expected. However,
when bad credentials are used, whether it is username, password, or even port,
Koha fails over to the last good credentials used. As long as you are pointing
to the server, you can complete a transaction.
Christopher
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list