Trang chủ » Quản trị mạng » Multiple XSS vulnerabilities in i-librarian 4.10

Multiple XSS vulnerabilities in i-librarian 4.10

281 Lượt xem
CYSTACK ADVISORY IDCSA-2019-01
CVE IDSCVE-2019-11359, CVE-2019-11428, CVE-2019-11449
SEVERITYMedium

Recently, we decided to find and get some CVEs assigned. When looking for a web project to audit, we came upon i-librarian 4.10, a PHP web application that has over 100 stars on Github. A few hours of relatively easy work finding bugs, and we got 3 CVEs with ours names on them.

Multiple vulnerable entry points

So we have narrowed our search to 1 web application. The next step is to find actual vulnerabilities within this app. I, librarian is written in plain PHP, and the front end doesn’t use any template engine. Naturally, this opens up lots of attack surface for well-known web attacks. We chose to find a classic web vulnerability, and that is XSS. A simple grep returns multiple entry points for potential XSS attacks:
grep -Pn 'print|echo \$_(GET|POST)' . -R

Not all of the returned lines of code are vulnerable to XSS attacks. Some parameters are typecast to int, before being returned in the web page. Another common mitigation is whitelisting. Whitelisting certainly does prevent XSS, but it cannot be used every where, otherwise the functionality of the app can suffer. There are also some variables filtered with strip_tags() before being displayed. This can by easily bypassed. Use of htmlspecialchars() should be preferred when it comes to preventing XSS.

Endpoint 1: display.php

$project = $_GET['project'];
...
 print '<a href="rss.php?project=' . $project . '" target="_blank" id="rss-link">&nbsp;<i class="fa fa-rss"></i> Project RSS</a>';

The $project variable is not sanitized. This is a classic case of reflected XSS. CVE-2019-11359 was assigned to this vulnerability.

Endpoint 2: export.php

if (isset($_GET['export_files']))
        $get_post_export_files = $_GET['export_files'];
...
<input type="hidden" name="export_files" value="<?php print $get_post_export_files ?>">

This case is mostly the same as the previous one.  $_GET['export_files'] is displayed directly in final HTML page.
We reported this to the vendor, and got CVE-2019-11428 assigned.

Endpoint 3: notes.php

if (isset($_GET['file'])) {
    $query = $dbHandle->quote($_GET['file']);
    $user_query = $dbHandle->quote($_SESSION['user_id']);
    $result = $dbHandle->query("SELECT title FROM library WHERE id=$query");
    $title = $result->fetchColumn();
    $result = null;
    $result = $dbHandle->query("SELECT notes FROM notes WHERE fileID=$query AND userID=$user_query LIMIT 1");
    $notes = $result->fetchColumn();
    $result = null;
}
...
print $notes;

This one is different from the previous two, as it is a stored XSS vulnerability. The result of a database query is displayed in web page through the call to print $notes;. To exploit this, we must first create a malicious data record in the database. Triggering XSS is then trivial. CVE-2019-11449 was assigned to this vulnerability.

Conclusion

I, librarian 4.10 has multiple XSS vulnerabilities. Finding these bugs has helped us get CVEs quite easily.

 

THAM KHẢO THÊM CÁC SẢN PHẨM HOT NHẤT HIỆN NAY
Tổng hợp các sản phẩm cho mẹ và bé
Tổng hợp các sản phẩm làm đẹp
Tổng hợp các sản phẩm mỹ phẩm
Tổng hợp sản phẩm dung dịch nano bạc diệt khuẩn hot
Tổng hợp sản phẩm tăng giảm cân hot
Tổng hợp sản phẩm sinh lý nam nữ
Tổng hợp sản phẩm đặc trị