[Koha] SIP2 AF field sent even if patron password is invalid

Kyle Hall kyle.m.hall at gmail.com
Thu Jul 31 23:25:49 NZST 2014


I think the essential problem is SIP has two levels of authentication. The
SIP server level, then the patron level. I think the SIP protocol intends
for the SIP client to behave responsibly with the data it gets, but in
reality SIP device manufacturers don't seem to try very hard.

For instance, what if we had a system with users that would periodically
mine a SIP2 server for data? Let's say it's a university system that needs
to know if a student owes the library money and they can't graduate without
paying off any money owed to the library. In this case, SIP2 must be able
to supply all the data even without knowing the patron's password.

As far as I can tell, the SIP2 spec does not intend a bad user password to
limit any data, it up to the client to determine what and what not to
display given a bad patron password.

But, since we can't strong arm SIP2 device manufacturers into using SIP2
properly, we need to deal with this ourselves.

Kyle

http://www.kylehall.info
ByWater Solutions ( http://bywatersolutions.com )
Meadville Public Library ( http://www.meadvillelibrary.org )
Crawford County Federated Library System ( http://www.ccfls.org )
Mill Run Technology Solutions ( http://millruntech.com )


On Wed, Jul 30, 2014 at 10:03 AM, Aaron Sakovich <asakovich at hmcpl.org>
wrote:

> Hi,
>
> I'm also concerned about the wealth of other info returned if an invalid
> password is provided. I just tried sending a bad password and got the
> following info returned from Koha:
>
> 64              00120140730
>  084016000000000000000000000000AOMAIN|AA21562006551554|AESpunky
> Tester|BLY|CQN|CC15.00|BD915 Monroe Street Huntsville AL 35801 Madison|
> BEaarons at hmcpl.org|PB
>
> AE: full name
> CQ: password verification failed!
> BD: street address
> BE: email address
>
> I did not see the AF field returned. However, someone with nefarious
> intent could harvest a LOT of patron info from SIP by just randomly (or
> sequentially) throwing out guessed library card numbers. Shouldn't the only
> thing returned be a CQN? (NB: we're on 3.14)
>
> Aaron
> --
> Aaron Sakovich
> Internet and Technology Services manager
> Huntsville-Madison County Public Library
> http://hmcpl.org/ -- asakovich at hmcpl.org
>
>
>
> On Jul 29, 2014, at 10:35 AM, Kyle Hall <kyle.m.hall at gmail.com> wrote:
>
> > I have an interesting SIP2 implementation issue. When authenticating
> > through SIP2, if a valid patron id is passed in, but an *invalid*
> password
> > is passed in, Koha's SIP2 server send back the AF ( screen message )
> field
> > even though the credentials are invalid. If a patron owes any fees, the
> > server will send back the amount owed in an AF field.
> >
> > For instance, Overdrive will display this AF field even with an invalid
> > password. Freegal does not ( but it may not display any AF field ). At
> > least one SIP2 machine we tested against will also display the AF field
> > when an invalid password is submitted.
> >
> > Is this a Koha issue, or a client side issue? The SIP2 protocol
> > specification does not indicate that AF fields should be removed in the
> > event of an invalid password. My guess is that some SIP2 server
> > implementations may send back "Invalid password" messages which may be
> > useful.
> >
> > Kyle
> >
> > http://www.kylehall.info
> > ByWater Solutions ( http://bywatersolutions.com )
> > Meadville Public Library ( http://www.meadvillelibrary.org )
> > Crawford County Federated Library System ( http://www.ccfls.org )
> > Mill Run Technology Solutions ( http://millruntech.com )
> > _______________________________________________
> > Koha mailing list  http://koha-community.org
> > Koha at lists.katipo.co.nz
> > http://lists.katipo.co.nz/mailman/listinfo/koha
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
>
>


More information about the Koha mailing list