Bug 20083: Information disclosure when (mis)using the MARC Preview feature

Bug 20083: Information disclosure when (mis)using the MARC Preview feature

The MARC Preview feature in the Staff client (catalogue/showmarc.pl) does not
check whether a user is logged in or not. As a consequence, it can be used to
obtain information that would normally be available to logged-in users only.
For example, you can view any bibliographic record by passing a value to the
'id' argument, but you can also view records as they were imported (normally
done via the 'Staged MARC management' tool).

All three 17.11 installations currently listed at
https://wiki.koha-community.org/wiki/Koha_Demo_Installations
are affected by this issue, as demonstrated by the URLs below:

http://koha.adminkuhn.ch:8080/cgi-bin/koha/catalogue/showmarc.pl?importid=1&viewas=html
http://pro.demo1711-koha.test.biblibre.eu/cgi-bin/koha/catalogue/showmarc.pl?id=1000&viewas=html
https://staff-kohademo.equinoxinitiative.org/cgi-bin/koha/catalogue/showmarc.pl?id=1&viewas=html

It should be noted that this only applies to XSLT-enabled installations.

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>