Insufficient parameter validation allows unauthenticated exfiltration of AT output
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Critical
|
Unassigned | ||
3.10 |
Fix Released
|
Critical
|
Unassigned | ||
3.11 |
Fix Released
|
Critical
|
Unassigned | ||
3.12 |
Fix Released
|
Critical
|
Unassigned |
Bug Description
When printing lists (or the basket, which is the temporary list) you're routed through /eg/opac/
I wonder what happens if you change that number.
Spoiler alert: check out the sweet password reset email printout in the attached image.
So it's possible to retrieve the output of any / every AT event in the system by simply starting at 1 and incrementing until you get bored of it. Additionally, while you have to be logged in to request a print preview, you do /not/ have to be logged in to print the output, so anyone can do this to any system without logging in.
Branch coming soon that verifies that the event in question has the appropriate hook for the requested action.
Changed in evergreen: | |
status: | New → Confirmed |
Changed in evergreen: | |
assignee: | nobody → Jane Sandberg (sandbergja) |
Changed in evergreen: | |
milestone: | none → 3.13.1 |
Changed in evergreen: | |
status: | Confirmed → Fix Released |
information type: | Private Security → Public Security |
Here's the branch that addresses it; in collab since Mike actually wrote it, not that I necessarily anticipate any additions.
security/ collab/ jboyer/ lp2070078_ plug_print_ leak