git.koha-community.org Git - koha.git/commit

author	Andreas Roussos <arouss1980@gmail.com>
	Fri, 26 Jan 2018 01:12:47 +0000 (14:12 +1300)
committer	Fridolin Somers <fridolin.somers@biblibre.com>
	Tue, 27 Mar 2018 11:58:22 +0000 (13:58 +0200)
commit	09ae62a758d44d669caf0ad095232af4287201a4
tree	8b8982f6c0e5d331620a99c57527795887c6ce3a	tree \| snapshot
parent	5f446a5f0aa4a05f5502e8562c9bdd5552dc1597	commit \| diff

Bug 20083 - Information disclosure when (mis)using the MARC Preview feature

The MARC Preview feature in the Staff client (catalogue/showmarc.pl) does not
check whether a user is logged in or not. As a consequence, it can be used to
obtain information that would normally be available to logged-in users only.
For example, you can view any bibliographic record by passing a value to the
'id' argument, but you can also view records as they were imported (normally
done via the 'Staged MARC management' tool).

All three 17.11 installations currently listed at
https://wiki.koha-community.org/wiki/Koha_Demo_Installations
are affected by this issue, as demonstrated by the URLs below:

http://koha.adminkuhn.ch:8080/cgi-bin/koha/catalogue/showmarc.pl?importid=1&viewas=html
http://pro.demo1711-koha.test.biblibre.eu/cgi-bin/koha/catalogue/showmarc.pl?id=1000&viewas=html
https://staff-kohademo.equinoxinitiative.org/cgi-bin/koha/catalogue/showmarc.pl?id=1&viewas=html

It should be noted that this only applies to XSLT-enabled installations.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 095a92a94e87cac0c8bdf79f2413fb72efb13f9e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>