[Koha] Clarification Regarding Security issue of Koha.

Thu Nov 3 01:08:41 NZDT 2016

Le 02/11/2016 à 12:55, Fridolin SOMERS a écrit :
>
>
> Le 02/11/2016 à 12:22, RakeshKumar Singh a écrit :
>> Dear Sir,
>>
>> Good morning Sir,
>> There are few security issue of koha on which we need some
>> clarification and help in resolving .These issue are as below:
>>
>>
>> Issue No 1:  In our application , when we login a session is created
>> and saved in cookies of the browser. when we try to open an restricted
>> page of our application from different instance of same browser we are
>> able to get the access as we have already logged in from same browser
>> . As per my understanding this is happening because the session id is
>> getting stored in cookies. this may be also because of sharing of
>> Cookies value across different tabs of the same browser for the same
>> application.
>> Requirement : What we want in our application is how to avoid sharing
>> of cookies across same browsers or different browsers.
> How do you access your different instances ?
> Does each instance have a VirtualHost or does each instance use a
> specific port on the same hostname ?
Ah and what is the value of the system preference "SessionStorage" ?

When you loggout, do you get logged-out from all instances ?

>
>>
>>
>> Issue No 2:  There is no Salted Password Mechanism in Koha as per our
>> findings . When ever we login to the application the password can
>> easily be tracked by any proxy as there is no salted mechanism
>> implemented.
> You should use HTTPS to secure the authentication system.
> Note that inside database the password is salted and well encrypted.
>
>>
>>
>>
>> We are facing issue in the resolving these issues .
>>
>> Request you to please help us in this .
>>
>> thanks in advance.
>>
>> On 11/01/16 09:13 PM, koha-request at lists.katipo.co.nz wrote:
>>>
>>> Nau Mai, Haere Mai ki te whanau Koha. Hello and Welcome to the Koha
>>> Community.
>>>
>>> This is just a brief email to help you make the most of the community,
>>> and the community make the most of you.
>>>
>>> The best thing you can do to start is to introduce yourself. A brief
>>> email to this mailing list saying who you are and what you want to do
>>> is a great way to do that.
>>>
>>> This is the general discussion list for librarians and others
>>> interested in the Koha FOSS (free & open-source software) LMS/ILS
>>> (library management system/integrated library system) and related
>>> activities. It is a companion to other email lists (see
>>> <http://lists.koha-community.org/>) that discuss future development or
>>> aspects of the application.
>>>
>>> Before posting to the list, it's always good to read/search through
>>> the mailing list archive <http://dir.gmane.org/gmane.comp.misc.koha>
>>> and the manual and FAQs <http://koha-community.org/documentation> for
>>> answers to your questions.
>>>
>>> Please feel free to use this list for announcements, questions and
>>> discussions on relevant topics, and please try to keep it positive and
>>> polite. Pro-free-software LMS/ILS news is welcome. Debating
>>> definitions of “free” is not.
>>>
>>> Please send plain text emails and if you opt for the digest, change
>>> the subject line when you reply (as described at the top of the
>>> digest). In general, try to keep subject lines accurate and try to
>>> write the sort of message that you'd be happy if it appeared on the
>>> letters page of a national newspaper or magazine. Other useful
>>> netiquette guidelines can be found in Internet RFC 1855
>>> <http://tools.ietf.org/rfc/rfc1855.txt>.
>>>
>>> Emails from non-subscribers (and other emails held for review) will
>>> usually be sent to this list in a batch once a day.
>>>
>>> Websites and bloggers may find the gmane archive
>>> <http://dir.gmane.org/gmane.comp.misc.koha> more useful for linking,
>>> because its comment system is open to all.
>>>
>>> Some other useful sites to keep an eye on are included below:
>>>
>>> - Koha project home page <http://koha-community.org> - Here you will
>>> find links to other Koha websites and announcements of interest to the
>>> Koha community.
>>>
>>> - Koha Bugs <http://bugs.koha-community.org> - Here you will find
>>> enhancement projects as well as bugs
>>>
>>> - Koha Developer Wiki <http://wiki.koha-community.org> - information
>>> about the development process and RFCs (Request for Comments)
>>>
>>> - Koha Git Repository <http://git.koha-community.org/> - patches and
>>> enhancements to Koha from the community
>>>
>>> - Koha Documentation <http://koha-community.org/documentation>
>>>
>>> We look forward to meeting you and working with you.
>>>
>

-- 
Fridolin SOMERS
Biblibre - Pôles support et système
fridolin.somers at biblibre.com