[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash
|
From: |
bugzilla-daemon |
|
Subject: |
[Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash |
|
Date: |
Mon, 7 Jan 2008 10:19:10 -0800 (PST) |
http://bugs.koha.org/cgi-bin/bugzilla/show_bug.cgi?id=1747
address@hidden changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|major |critical
------- Comment #3 from address@hidden 2008-01-07 10:19 -------
Same error affects renewal from staff interface, with either "Renew checked" or
"Renew All".
http://staff-atz.dev.kohalibrary.com/cgi-bin/koha/reserve/renewscript.pl
HDL: Clearly a patron could not renew unless logged in, but he must already be
logged in to even see what he has checked out!
On the OPAC side, opac/opac-renew.pl is tiny, just 22 lines. And it does not
seem to require the user to log in, or have any Auth at all.
Upgrading severity since this is a security flaw and not just a bug: any
anonymous 3rd party could renew items, with just the borrowernumber and
itemnumber!
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash, bugzilla-daemon, 2008/01/07
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash, bugzilla-daemon, 2008/01/07
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash,
bugzilla-daemon <=
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash, bugzilla-daemon, 2008/01/07
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash, bugzilla-daemon, 2008/01/07
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash, bugzilla-daemon, 2008/01/07
- [Koha-bugs] [Bug 1747] Renew from opac-user.pl causes crash, bugzilla-daemon, 2008/01/07