Skip to main content
ExLibris
  • Subscribe by RSS
  • ExLibris Dev

    WebV: PIN login works with default PIN if last name contains diacritics

    • Article Type: Known Issue
    • Product: Voyager
    • Product Version: 7.0.1

    Workflow implications: A security hole exists in WebVoy?ge in which Patron Authentication is seriously weakened for some.

    Replication steps:

    Symptoms

    * If PIN usage enabled in WebVoyage, patrons whose last name contains a diacritic are able to log in with both their own PIN and the default PIN

    Defect Status

    Issue 16384-13713 resolved for Voyager 8.1.0 and higher.

    Additional Information

    Replication steps:

    1.  In webvoyage.properties, ensure that option.usePIN=Y and that option.defaultPIN=0000
    2.  In Circulation, create a patron record with the last name of WebVoyáge
    3.  Set the patron’s PIN to 12345
    4.  Load WebVoyáge and log into MyAccount using the barcode, last name and PIN entered into Circulation. Everything should work as expected
    5.  Log out of WebVoyáge and log back in, this time using a PIN of 0000 instead of 12345. Patron still authenticated even though PIN is incorrect

    Category: OPAC


    • Article last edited: 3/7/2015
    //doorbell.io feedback widged