| commit | 0974bb38889dc5ca2b0abf68715a296d49087f3e | |
| author | Jonathan Druart <jonathan.druart@bugs.koha-community.org> | |
| Thu, 26 May 2016 10:52:19 +0000 (26 11:52 +0100) | ||
| committer | Frédéric Demians <f.demians@tamil.fr> | |
| Mon, 1 Aug 2016 06:53:51 +0000 (1 08:53 +0200) | ||
| tree | db4d672fa2ed495929f730b0a86571e00b780669 | treesnapshot (tar.gz zip) |
| parent | cb2895592a59e181c6ceaff9b9cb3acaf5b4a2e4 | commitdiff |
Bug 16593: Do not allow patrons to delete search history of others patrons
A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.
To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB
Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface
Reported by Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f01720808a574af9872ef3f562a8f3cee7f81060)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
A malicious user can delete the search history of all other users by
correctly guessing the ID value assigned to the victim's search. As
searches are assigned values sequentially, an attacker could quickly
remove the searches belonging to all of the application's users.
To reproduce:
Login with patron A
launch a search
Note the id generated for this search history:
select id from search_history order by id desc limit 1;
Login with patron B
Hit /cgi-bin/koha/opac-search-history.pl?action=delete&id=<ID>
Note that the row is deleted in the DB
Test plan
Confirm that this patch fixes the issue.
The same test can be made at the staff interface
Reported by Alex Middleton at Dionach
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f01720808a574af9872ef3f562a8f3cee7f81060)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
| catalogue/search-history.pl | diffblobblamehistory | |
| opac/opac-search-history.pl | diffblobblamehistory |