Koha/catalogue at 7a10b66205dc93d9b9773703008ebcb412b711bc - Koha-community/Koha - Koha: The world's first free and open source library system

History

Andreas Roussos f8ce3d88b1 Bug 20083: Information disclosure when (mis)using the MARC Preview feature The MARC Preview feature in the Staff client (catalogue/showmarc.pl) does not check whether a user is logged in or not. As a consequence, it can be used to obtain information that would normally be available to logged-in users only. For example, you can view any bibliographic record by passing a value to the 'id' argument, but you can also view records as they were imported (normally done via the 'Staged MARC management' tool). All three 17.11 installations currently listed at https://wiki.koha-community.org/wiki/Koha_Demo_Installations are affected by this issue, as demonstrated by the URLs below: http://koha.adminkuhn.ch:8080/cgi-bin/koha/catalogue/showmarc.pl?importid=1&viewas=html http://pro.demo1711-koha.test.biblibre.eu/cgi-bin/koha/catalogue/showmarc.pl?id=1000&viewas=html https://staff-kohademo.equinoxinitiative.org/cgi-bin/koha/catalogue/showmarc.pl?id=1&viewas=html It should be noted that this only applies to XSLT-enabled installations. Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>		2018-04-04 15:40:07 -03:00
..
detail.pl	Bug 20067: Fix other checks for linked authorised value categories	2018-03-26 17:01:10 -03:00
export.pl	Bug 19995: use Modern::Perl in Catalogue perl scripts	2018-02-05 09:45:47 -03:00
getitem-ajax.pl	Bug 17843: Replace C4::Koha::getitemtypeinfo with Koha::ItemTypes	2017-07-05 13:42:21 -03:00
image.pl	Bug 19995: use Modern::Perl in Catalogue perl scripts	2018-02-05 09:45:47 -03:00
imageviewer.pl	Bug 19995: use Modern::Perl in Catalogue perl scripts	2018-02-05 09:45:47 -03:00
ISBDdetail.pl	Bug 19367: $biblio variable redefined in same scope in ISBDdetail	2017-10-09 16:02:54 -03:00
issuehistory.pl	Bug 18403: Use patron-title.inc when hidepatronname is used [SPECIFIC for issuehistory]	2018-02-12 15:41:39 -03:00
itemsearch.pl	Bug 20067: Fix other checks for linked authorised value categories	2018-03-26 17:01:10 -03:00
labeledMARCdetail.pl	Bug 19995: use Modern::Perl in Catalogue perl scripts	2018-02-05 09:45:47 -03:00
MARCdetail.pl	Bug 19995: use Modern::Perl in Catalogue perl scripts	2018-02-05 09:45:47 -03:00
moredetail.pl	Bug 20067: Fix other checks for linked authorised value categories	2018-03-26 17:01:10 -03:00
search-history.pl	Bug 16593: Do not allow patrons to delete search history of others patrons	2016-06-24 11:47:29 +00:00
search.pl	Bug 20157: Do not display OPAC groups on the staff interface	2018-02-12 15:42:22 -03:00
showmarc.pl	Bug 20083: Information disclosure when (mis)using the MARC Preview feature	2018-04-04 15:40:07 -03:00
updateitem.pl	Bug 19995: use Modern::Perl in Catalogue perl scripts	2018-02-05 09:45:47 -03:00