[Koha-bugs] [Bug 12371] Links in every patron self-registration email points to a single borrower
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Aug 14 18:35:27 CEST 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12371
dmin <dminuck at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 - low |P1 - high
CC| |dminuck at gmail.com
Version|3.14 |3.16
Severity|enhancement |critical
--- Comment #2 from dmin <dminuck at gmail.com> ---
When two (or mote) patrons are unverified, this issue causes all of the patrons
to receive a verification email with the same token.
If this link is used by the patron who is not associated with the token in the
borrower_modifications table, the user name and password for the borrower who
is associated with that token are displayed, providing access to the account
and personal details of another patron.
This represents a critical privacy issue with self-registrations.
This issue is known to affect 3.16.X (did not use self-registration in 3.14.X.
Additonally, our borrower_modifications table always shows borrower # as 0,
since borrower number is not generated until the patron is added to the
borrowers table in opac-registration-verify.pl using AddMember_OPAC.
It appears the issue is stemming from the section of opac-memberentry.pl where
the verification email is generated (as all tokens in the
borrower_modifications table are unique) and only the token in the email is
incorrect.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list