VuFind 1.0 Cross Site Scripting

`*VuFind 1.0 **Web Application **Reflected XSS (Cross-site Scripting) 0-Day  
Bug Security Issue*  
  
  
  
Exploit Title: VuFind Results? &lookfor parameter Reflected XSS Web  
Security Vulnerability  
Product: VuFind  
Vendor: VuFind  
Vulnerable Versions: 1.0  
Tested Version: 1.0  
Advisory Publication: September 20, 2015  
Latest Update: September 25, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference:  
Impact CVSS Severity (version 2.0):  
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)  
Impact Subscore: 2.9  
Exploitability Subscore: 8.6  
CVSS Version 2 Metrics:  
Access Vector: Network exploitable; Victim must voluntarily interact with  
attack mechanism  
Access Complexity: Medium  
Authentication: Not required to exploit  
Impact Type: Allows unauthorized modification  
Discover and Reporter: Wang Jing [School of Physical and Mathematical  
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]  
(@justqdjing)  
  
  
  
  
  
  
  
*Suggestion Details:*  
  
  
*(1) Vendor & Product Description:*  
  
  
*Vendor:*  
VuFind  
  
  
  
*Product & Vulnerable Versions:*  
VuFind  
1.0  
  
  
  
*Vendor URL & Download:*  
Product can be obtained from here,  
http://sourceforge.net/p/vufind/news/  
  
  
  
  
*Product Introduction Overview:*  
"VuFind is a library resource portal designed and developed for libraries  
by libraries. The goal of VuFind is to enable your users to search and  
browse through all of your library's resources by replacing the traditional  
OPAC to include: Catalog Records, Locally Cached Journals, Digital Library  
Items, Institutional Repository, Institutional Bibliography, Other Library  
Collections and Resources. VuFind is completely modular so you can  
implement just the basic system, or all of the components. And since it's  
open source, you can modify the modules to best fit your need or you can  
add new modules to extend your resource offerings. VuFind runs on Solr  
Energy. Apache Solr, an open source search engine, offers amazing  
performance and scalability to allow for VuFind to respond to search  
queries in milliseconds time. It has the ability to be distributed if you  
need to spread the load of the catalog over many servers or in a server  
farm environment. VuFind is offered for free through the GPL open source  
license. This means that you can use the software for free. You can modify  
the software and share your successes with the community! Take a look at  
our VuFind Installations Wiki page to see how a variety of organizations  
have taken advantage of VuFind's flexibility. If you are already using  
VuFind, feel free to edit the page and share your accomplishments. "  
  
  
  
  
  
  
*(2) Vulnerability Details:*  
VuFind web application has a computer security problem. Hackers can exploit  
it by reflected XSS cyber attacks. This may allow a remote attacker to  
create a specially crafted request that would execute arbitrary script code  
in a user's browser session within the trust relationship between their  
browser and the server.  
  
Several other similar products 0-day vulnerabilities have been found by  
some other bug researchers before. VuFind has patched some of them. "scip  
AG was founded in 2002. We are driven by innovation, sustainability,  
transparency, and enjoyment of our work. We are completely self-funded and  
are thus in the comfortable position to provide completely independent and  
neutral services. Our staff consists of highly specialized experts who  
focus on the topic information security and continuously further their  
expertise through advanced training".  
  
  
*(2.1)* The code flaw occurs at "lookfor?" parameter in  
"/vufind/Resource/Results?" page.  
  
Some other researcher has reported a similar vulnerability here and VuFind  
has patched it.  
https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html  
  
  
  
  
  
  
  
*(3) Solution:*  
Update to new version.  
  
  
  
  
  
  
  
  
  
*References:*  
http://tetraph.com/security/xss-vulnerability/vufind-xss/  
http://securityrelated.blogspot.com/2015/09/vufind-xss.html  
https://vulnerabilitypost.wordpress.com/2015/09/22/vufind-xss/  
http://tetraph.blog.163.com/blog/static/234603051201582525130175/  
https://packetstormsecurity.com/files/133374/Winmail-Server-4.2-Cross-Site-Scripting.html  
http://marc.info/?l=oss-security&m=144094021709472&w=4  
http://lists.openwall.net/full-disclosure/2015/08/31/2  
http://ithut.tumblr.com/post/128012509383/webcabinet-winmail-server-42-reflected-xss  
http://seclists.org/fulldisclosure/2015/Aug/84  
http://lists.openwall.net/full-disclosure/2015/08/31/2  
  
  
  
  
  
  
  
--  
Jing Wang,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU), Singapore.  
http://www.tetraph.com/wangjing/  
https://twitter.com/justqdjing  
  
  
`