https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32369
Bug ID: 32369
Summary: Two Factor Authentication Can Be Bypassed If Catalog
and Staff Client URL Aren't Properly Configured
Change sponsored?: ---
Product: Koha
Version: 22.05
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5 - low
Component: Authentication
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
Ideally, there aren't any publicly accessible, production sites set up in the
way described below, however there is a bypass of 2FA if there are (though this
would still require a compromised PIN).
I have a test environment of Koha on a local-network server. When I first set
it up, I made the staff client address the IP of the server, and the OPAC the
same IP at a specific port (xxx.xxx.xxx.xxx:8081). I've never gotten around to
correcting that, and consequently when I'm logged into the staff client it also
considers me to be logged in to the OPAC, and visa versa (at that point I can
go to either the IP or the IP+Port to go between them).
I set up two factor authentication on a staff account, which is working
correctly when I log into the staff client. As expected, when I log into the
OPAC there's no 2FA code requested, however I can then just go to the base IP
(the staff client) and I will be logged into the staff client without having to
deal with 2FA.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
