BibORB.txt

2005-02-25T00:00:00
ID PACKETSTORM:36209
Type packetstorm
Reporter Patrick Hof
Modified 2005-02-25T00:00:00

Description

                                        
                                            `= Advisory: Multiple Vulnerabilities in BibORB =  
================================================  
  
Multiple vulnerabilities were found in BibORB which result in SQL   
injection, XSS, directory traversal and arbitrary file upload.  
  
== Details ==  
=============  
  
Product: BibORB  
Affected Version: 1.3.2, probably all lower versions  
Immune Version: 1.3.2 Security Update, 1.3.3 RC1  
OS affected: all  
Security-Risk: high  
Remote-Exploit: yes  
Vendor-URL: http://biborb.glymn.net/  
Vendor-Status: notified  
CVE: CAN-2005-0251 - 0254  
  
  
== Introduction ==  
==================  
  
"BibORB is a web-interface to BibTeX bibliographies (the bibliographic   
system used with LaTeX). It offers an easy to use solution to manage and   
share BibTeX bibliographies and electronic releases of papers."  
(from maintainer's page)  
  
XSS, SQL injection, directory traversal and arbitrary file upload make   
it possible to completely compromise the application and its users.  
  
== More Details ==  
==================  
  
=== XSS ===  
===========  
  
CAN-2005-0251  
  
Some variables containing user data are not filtered, so XSS is possible.  
  
=== Proof of Concept ===  
========================  
  
http://path/to/biborb/bibindex.php?mode=displaysearch&search=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sort=ID  
  
or  
  
Add Database -> Description: <script>alert('XSS')</script>  
  
executed everytime the Database is shown.  
  
  
=== SQL Injection ===  
=====================  
  
CAN-2005-0252  
  
If MySQL is used as authorization backend, SQL Injection may be used to   
get admin status.  
  
=== Proof of Concept ===  
========================  
  
When logging in, use the following username and password:  
  
Username: x' or 1=1 or login='x  
Password: x') or 1=1 or password=md5('x  
  
  
=== Directory Traversal ===  
===========================  
  
CAN-2005-0253  
  
If a user has the right to delete database entries, arbitrary files   
accessable by the user under which the application runs may be deleted.  
  
=== Proof of Concept ===  
========================  
  
http://path/to/biborb/index.php?mode=result&database_name=../config.php&action=Delete  
  
  
=== Arbitrary file upload ===  
  
CAN-2005-0254  
  
When a new entry is created, the user is presented with a mask where PDF   
and PS files can be uploaded as an addition to the entry. There is no   
check what files the user uploads, and those files are linked with   
standard icons widely used to show that the file is a PDF or PS file.   
Users may be fooled to click the icon and download malicious code   
instead of the desired PDF or PS file.  
  
=== Proof of Concept ===  
========================  
  
Just upload some arbitrary data file when creating a new entry.  
  
  
== Fix ==  
=========  
  
Update to either BibORB 1.3.2 Security Update or to 1.3.3 RC1.  
  
  
== Security Risk ==  
===================  
  
High, because the application can be completely compromised.  
  
  
== Vendor Status ==  
===================  
  
01.02.2005 Maintainer contacted  
08.02.2005 Delayed response due to mail problems  
09.02.2005 First release of a patch  
16.02.2005 Final patched version released  
`