[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Koha-devel] (big) security hole...
From: |
Paul POULAIN |
Subject: |
[Koha-devel] (big) security hole... |
Date: |
Fri, 09 Feb 2007 17:38:56 +0100 |
User-agent: |
Thunderbird 1.5.0.9 (X11/20070111) |
Hello world,
Kyle has found (without searching) a big security hole in fine management.
Koha checks that a user can access a page when calling
get_template_and_user sub.
That's why this sub should always be at the beginning of every page.
right, BUT : on pay.pl, we record the payement before checking the
template & user permission.
wow... big bug for libraries that uses fines, as anyone that can access
librarian interface can "pay" fines in koha without problem...
This bug should affect every version I'm afraid (2.2, dev_week, tumer,
rel_3_0)
I'll fix 2.2 & rel_3_0 asap (toins 1st job on monday probably ;-) ).
It probably means just moving the get_template_and_user at the beginning
of the script.
--
Paul POULAIN et Henri Damien LAURENT
Consultants indépendants
en logiciels libres et bibliothéconomie (http://www.koha-fr.org)
Tel : 04 91 31 45 19
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Koha-devel] (big) security hole...,
Paul POULAIN <=