[Koha-devel] (big) security hole...
Paul POULAIN
paul.poulain at free.fr
Fri Feb 9 17:38:56 CET 2007
Hello world,
Kyle has found (without searching) a big security hole in fine management.
Koha checks that a user can access a page when calling
get_template_and_user sub.
That's why this sub should always be at the beginning of every page.
right, BUT : on pay.pl, we record the payement before checking the
template & user permission.
wow... big bug for libraries that uses fines, as anyone that can access
librarian interface can "pay" fines in koha without problem...
This bug should affect every version I'm afraid (2.2, dev_week, tumer,
rel_3_0)
I'll fix 2.2 & rel_3_0 asap (toins 1st job on monday probably ;-) ).
It probably means just moving the get_template_and_user at the beginning
of the script.
--
Paul POULAIN et Henri Damien LAURENT
Consultants indépendants
en logiciels libres et bibliothéconomie (http://www.koha-fr.org)
Tel : 04 91 31 45 19
More information about the Koha-devel
mailing list