X Services security
- Article Type: General
- Product: Aleph
- Product Version: 17.01
Description:
When investigating X Services documentation for the first time we were pertubed to find that, provided a patron's id number is known, all patron information is freely available over the web without any authentication check.
Should this be so?
Resolution:
To address the security issue, we suggest to change the PW of the GUI user WWW-X which is used by all X-server transactions, and to add the following to the URLs:
&user_name=WWW-X&user_password=NEW-PW
Another method is to start with:
/X?op=login&library=XXX50&user_name=WWW-X&user_password=NEW-PW
and then to each request, add the session ID - for example:
&session=DYNYB4ACFLXXNARS49QFXTGQN89MU4QM3KHAQ79YE49PX8MH27
Additional Information
X Services security bor-info
- Article last edited: 10/8/2013